Bug 26115 - pam_listfile segfaults on invalid usernames
Summary: pam_listfile segfaults on invalid usernames
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 6.2
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-05 17:46 UTC by Need Real Name
Modified: 2007-04-18 16:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-05 19:44:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Need Real Name 2001-02-05 17:46:22 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)


If one uses pam_listfile in the pam stack for login, if someone tries to 
telnet in (or use any application that uses login) and enters an invalid 
username, that pam module segfaults and the user has to telnet in again.

Reproducible: Always
Steps to Reproduce:
1. set up /etc/pam.d/login to use pam_listfile
2. telnet in, use bad name
3. see crash
4. easier method: instead of telnet, use gdb login
	

easy fix, it segfaults on this code

userinfo = getpwnam(citemp);
setgrent();
grpinfo = getgrgid(userinfo->pw_gid);

i.e. when citemp doesn't exist, getpwnam returns NULL, and therefore you 
operate on a null pointer

a simple 
if (userinfo == NULL)
        return sense?PAM_SUCCESS:PAM_AUTH_ERR;

after the getpwnam seems to make everything work properly.  However, I am 
not a pam expert, so that might (probably?) is the wrong return value, but 
it seems to work here. 

here's a simple patch for the latest src.rpm that was in updates for 6.2

[spotter@yucs pam_listfile]$ diff pam_listfile.c pam_listfile.c.old
295,296d294
<               if (userinfo == NULL)
<                       return sense?PAM_SUCCESS:PAM_AUTH_ERR;

This is still a problem in redhat 7's pam.

Comment 1 Nalin Dahyabhai 2001-02-06 02:23:37 UTC
This will be fixed in pam-0.74-5.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.