Bug 26115
| Summary: | pam_listfile segfaults on invalid usernames | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Need Real Name <spotter> |
| Component: | pam | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED RAWHIDE | QA Contact: | Aaron Brown <abrown> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | katzj |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2001-02-05 19:44:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This will be fixed in pam-0.74-5. Thanks! |
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) If one uses pam_listfile in the pam stack for login, if someone tries to telnet in (or use any application that uses login) and enters an invalid username, that pam module segfaults and the user has to telnet in again. Reproducible: Always Steps to Reproduce: 1. set up /etc/pam.d/login to use pam_listfile 2. telnet in, use bad name 3. see crash 4. easier method: instead of telnet, use gdb login easy fix, it segfaults on this code userinfo = getpwnam(citemp); setgrent(); grpinfo = getgrgid(userinfo->pw_gid); i.e. when citemp doesn't exist, getpwnam returns NULL, and therefore you operate on a null pointer a simple if (userinfo == NULL) return sense?PAM_SUCCESS:PAM_AUTH_ERR; after the getpwnam seems to make everything work properly. However, I am not a pam expert, so that might (probably?) is the wrong return value, but it seems to work here. here's a simple patch for the latest src.rpm that was in updates for 6.2 [spotter@yucs pam_listfile]$ diff pam_listfile.c pam_listfile.c.old 295,296d294 < if (userinfo == NULL) < return sense?PAM_SUCCESS:PAM_AUTH_ERR; This is still a problem in redhat 7's pam.