bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-13 21:29 UTC
[Bug 2539] New: Add missing sanity check for read_passphrase() in auth-pam.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2539 Bug ID: 2539 Summary: Add missing sanity check for read_passphrase() in auth-pam.c Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: wp02855 at gmail.com Created attachment 2784 --> https://bugzilla.mindrot.org/attachment.cgi?id=2784&action=edit Patch file for this bug report Hello All, In reviewing code in OpenSSH-7.1p2, it would appear in file 'auth-pam.c', function 'sshpam_tty_conv()', there is a call to read_passphrase() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- auth-pam.c.orig 2016-02-13 09:44:14.656582235 -0800 +++ auth-pam.c 2016-02-13 09:46:14.583824370 -0800 @@ -982,6 +982,8 @@ reply[i].resp read_passphrase(PAM_MSG_MEMBER(msg, i, msg), RP_ALLOW_STDIN); + if (reply[i].resp == NULL) + goto fail; reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_PROMPT_ECHO_ON: ====================================================================== I am attaching the patch file to this bug report... Bill Parker (wp02855 at gmail dot com) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-14 23:16 UTC
[Bug 2539] Add missing sanity check for read_passphrase() in auth-pam.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2539 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |dtucker at zip.com.au Resolution|--- |INVALID --- Comment #1 from Darren Tucker <dtucker at zip.com.au> --- (In reply to Bill Parker from comment #0)> In reviewing code in OpenSSH-7.1p2, it would appear in file > 'auth-pam.c', > function 'sshpam_tty_conv()', there is a call to read_passphrase() > which is not checked for a return value of NULL, indicating failure. > The patch file below should address/correct this issue:[...]> reply[i].resp > read_passphrase(PAM_MSG_MEMBER(msg, i, > msg), > RP_ALLOW_STDIN); > + if (reply[i].resp == NULL) > + goto fail;Thanks, but read_passphrase() can only return NULL if given the RP_ALLOW_EOF flag which this code doesn't, so in this case it's guaranteed to be non-NULL. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:42 UTC
[Bug 2539] Add missing sanity check for read_passphrase() in auth-pam.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2539 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.