openssh bugs - Sep 2017 - [Bug 2777] New: sshd crashes when getpwnam result is returned by libnss_systemd

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

            Bug ID: 2777
           Summary: sshd crashes when getpwnam result is returned by
                    libnss_systemd
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot_bugzilla at entropy-collector.net

Downstream bug report https://bugs.archlinux.org/task/55570?project=1
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1643
If the result of this getpwnam called is supplied by libnss_systemd
then the structure and all strings pointed to within the structure will
be in a read only memory section.
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1648
explicit_bzero will then segfault attempting to write to that read only
section.
POSIX.1-2008 http://pubs.opengroup.org/onlinepubs/9699919799/ forbids
modifying the structure returned by getpwnam or the strings it points
to.
Perhaps switch the call to getpwnam_r?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2782
                 CC|                            |djm at mindrot.org


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2782
[Bug 2782] Tracking bug for OpenSSH 7.7 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3110|                            |ok?
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3110
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3110&action=edit
keep scrubbed copy of passwd struct

We can use the existing pwcopy() function to make a local, mutable copy
and hope the system endpwent() does the right thing and scrubs the last
returned passwd entry from memory.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3110|ok?                         |ok?(dtucker at dtucker.net)
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3110|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Fix committed, this will be in OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.