Bug 808

Summary:

segfault if not using pam/keyboard-interactive mech and password's expired

Product:

Portable OpenSSH

Reporter:

Buck Huppmann <buckh>

Component:

PAM support

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

Priority:

Version:

3.8p1

Hardware:

SPARC

OS:

Solaris

Bug Depends on:

Bug Blocks:

821

Attachments:

Description	Flags
referenced patch	none
Change start_pam(user) to start_pam(authctxt)	none

Description Darren Tucker 2004-03-04 23:45:20 AEDT

Created attachment 569 [details]
Change start_pam(user) to start_pam(authctxt)

Guilty.  Slightly different patch attached.

Note that this is a NULL pointer dereference and is *not* considered to be a
security vulnerability.

Comment 1 Darren Tucker 2004-03-05 00:19:16 AEDT

Sigh.  I had already written the following announcement when the bug was opened
and I was just about to send it to openssh-unix-dev (which seems to be bouncing
postings right now...)

    I'm sorry to report that there is a bug in the PAM code in OpenSSH 3.8p1,
and sorrier to say that I put it there.  This is a NULL pointer dereference and
is *not* considered to be a security vulnerability.

    When sshd is configured --with-pam, run with UsePAM=yes,
PasswordAuthentication=yes, and a user with an expired password successfully
authenticates via password without trying keyboard-interactive first, sshd will
attempt to dereference a NULL pointer and segfault.  In such a case, the user's
session will be immediately terminated.

    If UsePAM=no (the default), or UsePAM=yes and PasswordAuthentication=no
(recomended in the sshd_config man page) then this problem will not occur.

    The attached patch fixes this.  Please test it, we would like to release a
3.8p2 soon containing this and a few other fixes.

    My apologies to anyone inconvenienced by this.

Comment 2 Buck Huppmann 2004-03-05 08:04:55 AEDT

if you don't authenticate via pam/keyboard-interactive, then when
do_pam_account figures out your password is expired and calls
pam_password_change_required, the latter will probably segfault when it
dereferences the uninitialized int *force_pwchange. this is b/c, if you
don't authenticate using the PRIVSEP(sshpam_device), sshpam_init_ctx is
never called, so force_pwchange isn't properly initialized

i'll attach a workaround patch, but not without serious misgivings about
how crappy it is, so it won't hurt my feelings if you come up with a much
better fix

all in all, though, 3.8p1 does password-changing and chauthtok-ing
much better than it's predecessor, so thanks again for the great work

--buck

Comment 3 Buck Huppmann 2004-03-05 08:06:17 AEDT

Created attachment 568 [details]
referenced patch

Comment 4 Darren Tucker 2004-03-08 23:06:22 AEDT

A fix for this (id #596) has been committed, tomorrow's snapshot will have it. 
Please test it and re-open this bug if there are any problems with it.

Comment 5 Darren Tucker 2004-04-13 19:07:25 AEST

This will be fixed in 3.8.1p1.

Comment 6 Damien Miller 2004-04-19 23:31:24 AEST

Closed with release of portable OpenSSH 3.8.1p1