Bug 92045

Summary: xscreensaver crashes due to SIGPIPE generated in nss_ldap
Product: Red Hat Enterprise Linux 4 Reporter: Jason Wold <wold>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: ccweis, mattdm, notting, rstrode, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-17 22:27:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to xscreensaver to block/ignore/unblock a sigpipe generated from pam_authenticate call
none
gdb summary of xscreensaver crashing none

Description Jason Wold 2003-06-01 20:36:14 UTC
Description of problem:  When unlocking xscreensaver it dies with a SIGPIPE,
regardless of whether password was correct or not.  This can give unauthorized
access to users desktops.  We ran gdb on xscreensaver and saw the output below,
which indicates the SIGPIPE was getting propogated up from nss_ldap.  This seems
like an nss_ldap bug for not dealing with the SIGPIPE but xscreensaver was the
main client we were having a problem with.  I will attach the gdb xscreensaver
info and the patch we used to fix xscreensaver.

Version-Release number of selected component (if applicable):
xscreensaver-4.10-1gg1
nss_ldap-202-5


How reproducible:
This seems to depend on some timeout with the connection to the LDAP server so
it is not reliably reproduceable.  Unlocking my screen 20 times per day may
cause it to crash once or twice.

Steps to Reproduce:
1. run xscreensaver with pam authentication set to use pam_unix
and nsswitch setup to query "files ldap"
2. lock xscreensaver and wait for ldap server to timeout (5 minutes to an hour)
3. try to unlock screen with any password
    
Actual results:
xscreensaver crashes and unlocks the screen

Expected results:
xscreensaver should NEVER unlock the screen due to any signal it got from a client

Additional info:

Comment 1 Jason Wold 2003-06-01 20:39:31 UTC
Created attachment 92072 [details]
patch to xscreensaver to block/ignore/unblock a sigpipe generated from pam_authenticate call

Comment 2 Jason Wold 2003-06-01 20:40:15 UTC
Created attachment 92073 [details]
gdb summary of xscreensaver crashing

Comment 3 Christopher C. Weis 2003-11-17 15:54:24 UTC
We're having exactly the same problem here.  We switched from our
old(er) OpenLDAP implementation to RH ES 2.1 (openldap-2.0.27-2.7.3),
during which we changed "idletimeout 0" to "idletimeout 300" in our
slapd.conf file.

After this change, xscreensaver seems to semi-randomly crash (just
like Jason Wold described).  We also use nss_ldap on our HP-UX
machines, and the change causes the entire desktop session to crash
upon unlocking the screensaver.  It happens fairly consistently with
particular screensavers on the HP-UX machines, which may also agree
with the "client not handling the SIGPIPE correctly" argument.

This morning, I set "idletimeout" back to "0" (zero).  I'll let
everyone know in a few hours if it ends up helping the problem(s).

Comment 4 Bill Nottingham 2006-08-05 04:58:47 UTC
Red Hat apologizes that these issues have not been resolved yet. We do want to
make sure that no important bugs slip through the cracks.

Red Hat Linux 7.3 and Red Hat Linux 9 are no longer supported by Red Hat, Inc.
They are maintained by the Fedora Legacy project (http://www.fedoralegacy.org/)
for security updates only. If this is a security issue, please reassign to the
'Fedora Legacy' product in bugzilla. Please note that Legacy security update
support for these products will stop on December 31st, 2006.

If this is not a security issue, please check if this issue is still present
in a current Fedora Core release. If so, please change the product and version
to match, and check the box indicating that the requested information has been
provided.

If you are currently still running Red Hat Linux 7.3 or 9, please note that
Fedora Legacy security update support for these products will stop on December
31st, 2006. You are strongly advised to upgrade to a current Fedora Core release
or Red Hat Enterprise Linux or comparable. Some information on which option may
be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/.

Any bug still open against Red Hat Linux 7.3 or 9 at the end of 2006 will be
closed 'CANTFIX'. Again, if this bug still exists in a current release, or is a
security issue, please change the product as necessary. We thank you for your
help, and apologize again that we haven't handled these issues to this point.


Comment 6 Lubomir Kundrak 2006-12-21 13:07:43 UTC
Does this bug still exists?
If yes, I think just ignoring SIGPIPE is not the right way to fix it, the pam
module should not generate this signal.
Anyways, ignoring fatal signals might improve xscreensaver's robustness.

Comment 7 Nalin Dahyabhai 2010-02-17 22:27:04 UTC
I believe this was fixed some time ago, probably before EL4 (this bug was filed against RHL9, which predates EL3).  Marking as closed.  Please reopen this report if you continue to see the problem in 4.8.