Bug 808 - segfault if not using pam/keyboard-interactive mech and password's expired
Summary: segfault if not using pam/keyboard-interactive mech and password's expired
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 3.8p1
Hardware: SPARC Solaris
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks: 821
  Show dependency treegraph
 
Reported: 2004-03-05 08:04 AEDT by Buck Huppmann
Modified: 2004-04-19 23:33 AEST (History)
0 users

See Also:

Attachments
referenced patch (2.96 KB, patch)
2004-03-05 08:06 AEDT, Buck Huppmann 		no flags Details | Diff
Change start_pam(user) to start_pam(authctxt) (7.61 KB, patch)
2004-03-04 23:45 AEDT, Darren Tucker 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Darren Tucker 2004-03-04 23:45:20 AEDT 
Created attachment 569 [details]
Change start_pam(user) to start_pam(authctxt)

Guilty.  Slightly different patch attached.

Note that this is a NULL pointer dereference and is *not* considered to be a
security vulnerability.
Comment 1 Darren Tucker 2004-03-05 00:19:16 AEDT 
Sigh.  I had already written the following announcement when the bug was opened
and I was just about to send it to openssh-unix-dev (which seems to be bouncing
postings right now...)

    I'm sorry to report that there is a bug in the PAM code in OpenSSH 3.8p1,
and sorrier to say that I put it there.  This is a NULL pointer dereference and
is *not* considered to be a security vulnerability.

    When sshd is configured --with-pam, run with UsePAM=yes,
PasswordAuthentication=yes, and a user with an expired password successfully
authenticates via password without trying keyboard-interactive first, sshd will
attempt to dereference a NULL pointer and segfault.  In such a case, the user's
session will be immediately terminated.

    If UsePAM=no (the default), or UsePAM=yes and PasswordAuthentication=no
(recomended in the sshd_config man page) then this problem will not occur.

    The attached patch fixes this.  Please test it, we would like to release a
3.8p2 soon containing this and a few other fixes.

    My apologies to anyone inconvenienced by this.
Comment 2 Buck Huppmann 2004-03-05 08:04:55 AEDT 
if you don't authenticate via pam/keyboard-interactive, then when
do_pam_account figures out your password is expired and calls
pam_password_change_required, the latter will probably segfault when it
dereferences the uninitialized int *force_pwchange. this is b/c, if you
don't authenticate using the PRIVSEP(sshpam_device), sshpam_init_ctx is
never called, so force_pwchange isn't properly initialized

i'll attach a workaround patch, but not without serious misgivings about
how crappy it is, so it won't hurt my feelings if you come up with a much
better fix

all in all, though, 3.8p1 does password-changing and chauthtok-ing
much better than it's predecessor, so thanks again for the great work

--buck
Comment 3 Buck Huppmann 2004-03-05 08:06:17 AEDT 
Created attachment 568 [details]
referenced patch
Comment 4 Darren Tucker 2004-03-08 23:06:22 AEDT 
A fix for this (id #596) has been committed, tomorrow's snapshot will have it. 
Please test it and re-open this bug if there are any problems with it.
Comment 5 Darren Tucker 2004-04-13 19:07:25 AEST 
This will be fixed in 3.8.1p1.
Comment 6 Damien Miller 2004-04-19 23:31:24 AEST 
Closed with release of portable OpenSSH 3.8.1p1