Bug 1120104

Summary: pam segfaults on unexpected /etc/security/opasswd contents
Product: [Fedora] Fedora Reporter: Filip Krska <fkrska>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 20CC: qe-baseos-security, tmraz
Target Milestone: ---Keywords: EasyFix, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam-1.1.8-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1120099 Environment:
Last Closed: 2014-12-18 06:07:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Filip Krska 2014-07-16 09:37:58 UTC 
reproduces with pam-1.1.8-1.fc20.x86_64 as well

+++ This bug was initially created as a clone of Bug #1120099 +++

Description of problem:

pam segfaults when user wants to reset his password and a line beginning with his username exists in /etc/security/opasswd, however the record doesn't follow expected structure (e.g. accidentally rewrite content of /etc/security/opasswd with contents of /etc/passwd)

Version-Release number of selected component (if applicable):

pam-1.1.1-17.el6_5.x86_64

How reproducible:

Always

Steps to Reproduce:
1. add remember=3 to /etc/pam.d/system-auth-ac:
# diff /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.bak.2014.07.14
16c16
< password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3
---
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

2. # useradd test
3. # passwd test
4. mangle /etc/security/opasswd, e.g.
# cat /etc/security/opasswd
test

or

# cat /etc/security/opasswd
test:x:501:501::/home/test:/bin/bash
5. # su - test
6. $ passwd

Actual results:

Changing password for user test.
Changing password for test.
(current) UNIX password: 
New password: 
Retype new password: 
Segmentation fault

Expected results:

Changing password for user gpedr00.
Changing password for gpedr00.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error

Additional info:

Patch attached, didn't managed to reproduce the segfault with the patch (doesn't necessarily mean it's bulletproof or elegant). Throwing more descripting error message than just general "passwd: Authentication token manipulation error" would be also fine, not only in this case.
Comment 1 Fedora Update System 2014-12-05 10:28:07 UTC 
pam-1.1.8-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pam-1.1.8-2.fc20
Comment 2 Fedora Update System 2014-12-05 10:28:19 UTC 
pam-1.1.6-13.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/pam-1.1.6-13.fc19
Comment 3 Fedora Update System 2014-12-06 02:29:37 UTC 
Package pam-1.1.8-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam-1.1.8-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16350/pam-1.1.8-2.fc20
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-12-18 06:07:44 UTC 
pam-1.1.8-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.