Bug 121734 - openssl kills pam_ldap with SIGSEGV in err_cmp when authenticating against ldaps://
openssl kills pam_ldap with SIGSEGV in err_cmp when authenticating against ld...
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: nss_ldap (Show other bugs)
fc1
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
DEFER
: Security
: 121923 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-26 17:14 EDT by rob
Modified: 2009-09-21 15:59 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-08 16:26:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backtrace from core dump (7.38 KB, text/plain)
2004-04-26 17:16 EDT, rob
no flags Details

  None (edit)
Description rob 2004-04-26 17:14:59 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040404 Firefox/0.8

Description of problem:
i use nss_ldap for authentication.  frequently when users try to login
gdm will crash.  it is restarted automatically and the next login
usually succeeds.  xscreensaver also crashes when it is configured to
ask for a password.

in an attempt to debug this problem i set LD_ASSUME_KERNEL=2.2.15,
ulimit -c unlimited, and ran the test-passwd program that is an
optional part of xscreensaver.  it seems to show things dying in
err_cmp in openssl.  am i interpreting the data correctly?  is there a
better


if ldaps:// is unconfigured the crashes stop until ldaps:// is reenabled.

Version-Release number of selected component (if applicable):
openssl-0.9.7a-33.10, openldap-2.1.22-8, nss_ldap-207-6

How reproducible:
Always

Steps to Reproduce:
1. configure pam_ldap to use ldaps:// authentication
2. build test-passwd from xscreensaver package. 
3. run test-passwd and enter the wrong password until it crashes
(./test-passwd tty)
    

Actual Results:  it crashes after less than 12 bad passwords (usually 2).

Expected Results:  it should say password okay and not crash.

Additional info:  qualitatively, it seems to be worse since the last
openssl update.
Comment 1 rob 2004-04-26 17:16:41 EDT
Created attachment 99703 [details]
backtrace from core dump
Comment 2 rob 2004-05-13 10:40:23 EDT
same problem exists with Fedora Core 2 Test 3.
Comment 3 James Bourne 2004-07-15 00:02:04 EDT
*** Bug 121923 has been marked as a duplicate of this bug. ***
Comment 4 Tomas Mraz 2005-04-22 10:28:56 EDT
Does the crash still happen with FC4 test releases?
Comment 5 rob 2005-04-22 10:45:53 EDT
i have not yet had a problem with FC3 or RHEL4.

i have not used FC4 test but assume that it would not regress from FC3.

perhaps this bug should be moved to legacy as it could be security relevant?
Comment 6 Tomas Mraz 2005-04-22 10:57:38 EDT
You're right that it could be security relevant however the question is which
code is the culprit. I'd suppose nss_ldap or openldap because there were no
significant changes which could affect this bug between FC2 and FC3 in the
openssl package.
Comment 7 James Bourne 2005-04-22 11:20:58 EDT
I have had this problem with FC3, but have not tried FC4-test yet.  I am running
RHEL4 and there have been not issues with xscreensaver in this version as yet.
Comment 8 Pekka Savola 2005-11-16 08:19:02 EST
This doesn't seem to be important enough to fix just on its own, so mark it DEFER.
Comment 9 James Bourne 2005-11-16 09:42:41 EST
I would like to think that a bug that possibley causes a pam module to segfault
would be important enough to fix just on its own or at least rule that out... 
It seems fairly clear that the error and segfault happens in err.c line 904
(which is part of openssl, crypto/err/err.c) based on the backtrace.  It is
possible in more recent versions there is a fixed issue but if this is still
happening in FC2/FC3 and older it would be wise to at least produce a security
advisory that states xscreensaver and other programs which depend on SSL may
crash in certain unknown cases, possibly leaving a system without basic security...

Regards
Comment 10 rob 2005-11-16 11:11:37 EST
fwiw, i still haven't seen this issue occur once in 6-8 months of running a
number of RHEL4 machines.
Comment 11 Jesse Keating 2006-08-13 09:10:21 EDT
Is this still a problem with the openssl released around October 30th?

openssl-0.9.7a-35.2.legacy

Please note that Fedora Legacy no longer supports FC1 or FC2.
Comment 12 Piotr Drąg 2008-11-08 16:26:45 EST
Closing Fedora Legacy bugs.

Note You need to log in before you can comment on or make changes to this bug.