From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040404 Firefox/0.8 Description of problem: i use nss_ldap for authentication. frequently when users try to login gdm will crash. it is restarted automatically and the next login usually succeeds. xscreensaver also crashes when it is configured to ask for a password. in an attempt to debug this problem i set LD_ASSUME_KERNEL=2.2.15, ulimit -c unlimited, and ran the test-passwd program that is an optional part of xscreensaver. it seems to show things dying in err_cmp in openssl. am i interpreting the data correctly? is there a better if ldaps:// is unconfigured the crashes stop until ldaps:// is reenabled. Version-Release number of selected component (if applicable): openssl-0.9.7a-33.10, openldap-2.1.22-8, nss_ldap-207-6 How reproducible: Always Steps to Reproduce: 1. configure pam_ldap to use ldaps:// authentication 2. build test-passwd from xscreensaver package. 3. run test-passwd and enter the wrong password until it crashes (./test-passwd tty) Actual Results: it crashes after less than 12 bad passwords (usually 2). Expected Results: it should say password okay and not crash. Additional info: qualitatively, it seems to be worse since the last openssl update.
Created attachment 99703 [details] backtrace from core dump
same problem exists with Fedora Core 2 Test 3.
*** Bug 121923 has been marked as a duplicate of this bug. ***
Does the crash still happen with FC4 test releases?
i have not yet had a problem with FC3 or RHEL4. i have not used FC4 test but assume that it would not regress from FC3. perhaps this bug should be moved to legacy as it could be security relevant?
You're right that it could be security relevant however the question is which code is the culprit. I'd suppose nss_ldap or openldap because there were no significant changes which could affect this bug between FC2 and FC3 in the openssl package.
I have had this problem with FC3, but have not tried FC4-test yet. I am running RHEL4 and there have been not issues with xscreensaver in this version as yet.
This doesn't seem to be important enough to fix just on its own, so mark it DEFER.
I would like to think that a bug that possibley causes a pam module to segfault would be important enough to fix just on its own or at least rule that out... It seems fairly clear that the error and segfault happens in err.c line 904 (which is part of openssl, crypto/err/err.c) based on the backtrace. It is possible in more recent versions there is a fixed issue but if this is still happening in FC2/FC3 and older it would be wise to at least produce a security advisory that states xscreensaver and other programs which depend on SSL may crash in certain unknown cases, possibly leaving a system without basic security... Regards
fwiw, i still haven't seen this issue occur once in 6-8 months of running a number of RHEL4 machines.
Is this still a problem with the openssl released around October 30th? openssl-0.9.7a-35.2.legacy Please note that Fedora Legacy no longer supports FC1 or FC2.
Closing Fedora Legacy bugs.