openssh bugs - Feb 2016 - [Bug 2539] New: Add missing sanity check for read_passphrase() in auth-pam.c

https://bugzilla.mindrot.org/show_bug.cgi?id=2539

            Bug ID: 2539
           Summary: Add missing sanity check for read_passphrase() in
                    auth-pam.c
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: wp02855 at gmail.com

Created attachment 2784
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2784&action=edit
Patch file for this bug report

Hello All,

        In reviewing code in OpenSSH-7.1p2, it would appear in file
'auth-pam.c',
function 'sshpam_tty_conv()', there is a call to read_passphrase()
which
is not checked for a return value of NULL, indicating failure.  The
patch
file below should address/correct this issue:

--- auth-pam.c.orig     2016-02-13 09:44:14.656582235 -0800
+++ auth-pam.c  2016-02-13 09:46:14.583824370 -0800
@@ -982,6 +982,8 @@
                        reply[i].resp                            
read_passphrase(PAM_MSG_MEMBER(msg, i,
msg),
                            RP_ALLOW_STDIN);
+                       if (reply[i].resp == NULL)
+                               goto fail;
                        reply[i].resp_retcode = PAM_SUCCESS;
                        break;
                case PAM_PROMPT_ECHO_ON:

======================================================================
I am attaching the patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2539

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |dtucker at zip.com.au
         Resolution|---                         |INVALID

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Bill Parker from comment #0)
> 	In reviewing code in OpenSSH-7.1p2, it would appear in file
> 'auth-pam.c',
> function 'sshpam_tty_conv()', there is a call to read_passphrase()
> which is not checked for a return value of NULL, indicating failure.
> The patch file below should address/correct this issue:
[...]
>                         reply[i].resp >                            
read_passphrase(PAM_MSG_MEMBER(msg, i,
> msg),
>                             RP_ALLOW_STDIN);
> +                       if (reply[i].resp == NULL)
> +                               goto fail;
Thanks, but read_passphrase() can only return NULL if given the
RP_ALLOW_EOF flag which this code doesn't, so in this case it's
guaranteed to be non-NULL.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2539

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.