Daniel Kahn Gillmor
2011-Apr-15 18:12 UTC
[Secure-testing-team] Bug#622903: xscreensaver (linked against libcrypto1.0.0) crashes upon unlock when using libp11 0.2.7-3 (linked against libcrypto0.9.8)
Package: xscreensaver
Version: 5.11-1+b1
Severity: grave
Tags: security
Justification: user security hole
on i386, xscreensaver 5.11-1+b1 (currently in wheezy/testing) is
linked against libssl and libcrypto version 1.0.0.
libp11-1 0.2.7-3 (also currently in wheezy/testing) links against libssl
and libcrypto version 0.9.8.
So now in wheezy, if libpam-p11 is installed and configured for use,
xscreensaver apparently falls prey to a double-free within libc.
It currently crashes during the unlock phase, which appears to render
the screen lock useless.
Here''s the crash log:
*** glibc detected *** xscreensaver: double free or corruption (out): 0x09756c90
***
======= Backtrace: ========/lib/i686/cmov/libc.so.6(+0x6b281)[0xb7526281]
/lib/i686/cmov/libc.so.6(+0x6cad8)[0xb7527ad8]
/lib/i686/cmov/libc.so.6(cfree+0x6d)[0xb752abbd]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(CRYPTO_free+0x3a)[0xb7150d0a]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_STRING_free+0x35)[0xb71e7135]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_primitive_free+0x86)[0xb71db146]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(+0xd3254)[0xb71db254]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_template_free+0x93)[0xb71db4c3]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(+0xd33bf)[0xb71db3bf]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_template_free+0x93)[0xb71db4c3]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(+0xd33bf)[0xb71db3bf]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_free+0x18)[0xb71db508]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(X509_free+0x27)[0xb71d4727]
/usr/lib/libp11.so.1(+0x25f5)[0xb78235f5]
/usr/lib/libp11.so.1(+0x4625)[0xb7825625]
/usr/lib/libp11.so.1(+0x46d7)[0xb78256d7]
/usr/lib/libp11.so.1(PKCS11_release_all_slots+0x40)[0xb7825750]
/lib/security/pam_p11_opensc.so(pam_sm_authenticate+0x267)[0xb7829187]
/lib/libpam.so.0(+0x257d)[0xb763a57d]
/lib/libpam.so.0(pam_authenticate+0x4d)[0xb7639dbd]
xscreensaver[0x80657fa]
xscreensaver[0x806510e]
xscreensaver[0x8060423]
xscreensaver[0x804dfbb]
xscreensaver[0x804f0f8]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb74d1c76]
xscreensaver[0x804c3e1]
======= Memory map: =======08048000-0807b000 r-xp 00000000 fd:05 42441
/usr/bin/xscreensaver
0807b000-0807c000 rw-p 00033000 fd:05 42441 /usr/bin/xscreensaver
0807c000-0807f000 rw-p 00000000 00:00 0
09710000-097a2000 rw-p 00000000 00:00 0 [heap]
b6e00000-b6e21000 rw-p 00000000 00:00 0
b6e21000-b6f00000 ---p 00000000 00:00 0
b6fa1000-b6fbd000 r-xp 00000000 fd:03 81428 /lib/libgcc_s.so.1
b6fbd000-b6fbe000 rw-p 0001b000 fd:03 81428 /lib/libgcc_s.so.1
b6fbe000-b6fc5000 r-xp 00000000 fd:05 36994 /usr/lib/libopenct.so.1.0.0
b6fc5000-b6fc6000 rw-p 00006000 fd:05 36994 /usr/lib/libopenct.so.1.0.0
b6fc6000-b6fdb000 r-xp 00000000 fd:03 101611
/lib/i686/cmov/libpthread-2.11.2.so
b6fdb000-b6fdc000 r--p 00014000 fd:03 101611
/lib/i686/cmov/libpthread-2.11.2.so
b6fdc000-b6fdd000 rw-p 00015000 fd:03 101611
/lib/i686/cmov/libpthread-2.11.2.so
b6fdd000-b6fdf000 rw-p 00000000 00:00 0
b6fdf000-b7085000 r-xp 00000000 fd:05 36605 /usr/lib/libopensc.so.2.0.0
b7085000-b708a000 rw-p 000a5000 fd:05 36605 /usr/lib/libopensc.so.2.0.0
b708a000-b708c000 rw-p 00000000 00:00 0
b708c000-b70b3000 r-xp 00000000 fd:05 36618 /usr/lib/libpkcs15init.so.2.0.0
b70b3000-b70b5000 rw-p 00027000 fd:05 36618 /usr/lib/libpkcs15init.so.2.0.0
b70d1000-b70ea000 r-xp 00000000 fd:03 81288 /lib/libselinux.so.1
b70ea000-b70eb000 r--p 00018000 fd:03 81288 /lib/libselinux.so.1
b70eb000-b70ec000 rw-p 00019000 fd:03 81288 /lib/libselinux.so.1
b70f3000-b7106000 r-xp 00000000 fd:05 36480 /usr/lib/opensc-pkcs11.so
b7106000-b7108000 rw-p 00012000 fd:05 36480 /usr/lib/opensc-pkcs11.so
b7108000-b7244000 r-xp 00000000 fd:05 36593
/usr/lib/i686/cmov/libcrypto.so.0.9.8
b7244000-b725c000 rw-p 0013b000 fd:05 36593
/usr/lib/i686/cmov/libcrypto.so.0.9.8
b725c000-b725f000 rw-p 00000000 00:00 0
b725f000-b7272000 r-xp 00000000 fd:05 32694 /usr/lib/libz.so.1.2.3.4
b7272000-b7273000 rw-p 00013000 fd:05 32694 /usr/lib/libz.so.1.2.3.4
b7273000-b73d5000 r-xp 00000000 fd:05 35232
/usr/lib/i686/cmov/libcrypto.so.1.0.0
b73d5000-b73ea000 rw-p 00162000 fd:05 35232
/usr/lib/i686/cmov/libcrypto.so.1.0.0
b73ea000-b73ed000 rw-p 00000000 00:00 0
b73ed000-b7431000 r-xp 00000000 fd:05 35233
/usr/lib/i686/cmov/libssl.so.1.0.0
b7431000-b7435000 rw-p 00043000 fd:05 35233
/usr/lib/i686/cmov/libssl.so.1.0.0
b7438000-b7444000 r-xp 00000000 fd:03 84117 /lib/security/pam_unix.so
b7444000-b7445000 rw-p 0000b000 fd:03 84117 /lib/security/pam_unix.so
b7445000-b7451000 rw-p 00000000 00:00 0
b7451000-b7455000 r-xp 00000000 fd:05 35031 /usr/lib/libXfixes.so.3.1.0
b7455000-b7456000 rw-p 00003000 fd:05 35031 /usr/lib/libXfixes.so.3.1.0
b7456000-b745e000 r-xp 00000000 fd:05 34973 /usr/lib/libXcursor.so.1.0.2
b745e000-b745f000 rw-p 00007000 fd:05 34973 /usr/lib/libXcursor.so.1.0.2
b745f000-b7469000 r-xp 00000000 fd:03 101620
/lib/i686/cmov/libnss_files-2.11.2.so
b7469000-b746a000 r--p 00009000 fd:03 101620
/lib/i686/cmov/libnss_files-2.11.2.so
b746a000-b746b000 rw-p 0000a000 fd:03 101620
/lib/i686/cmov/libnss_files-2.11.2.so
b746b000-b7473000 r-xp 00000000 fd:03 101609
/lib/i686/cmov/libnss_nis-2.11.2.so
b7473000-b7474000 r--p 00008000 fd:03 101609
/lib/i686/cmov/libnss_nis-2.11.2.so
b7474000-b7475000 rw-p 00009000 fd:03 101609
/lib/i686/cmov/libnss_nis-2.11.2.so
b7475000-b7488000 r-xp 00000000 fd:03 101621 /lib/i686/cmov/libnsl-2.11.2.so
b7488000-b7489000 r--p 00012000 fd:03 101621 /lib/i686/cmov/libnsl-2.11.2.so
b7489000-b748a000 rw-p 00013000 fd:03 101621 /lib/i686/cmov/libnsl-2.11.2.so
b748a000-b748c000 rw-p 00000000 00:00 0
b748c000-b7492000 r-xp 00000000 fd:03 101605
/lib/i686/cmov/libnss_compat-2.11.2.so
b7492000-b7493000 r--p 00006000 fd:03 101605
/lib/i686/cmov/libnss_compat-2.11.2.so
b7493000-b7494000 rw-p 00007000 fd:03 101605
/lib/i686/cmov/libnss_compat-2.11.2.so
b7494000-b7496000 rw-p 00000000 00:00 0
b7496000-b749a000 r-xp 00000000 fd:05 34072 /usr/lib/libXdmcp.so.6.0.0
b749a000-b749b000 rw-p 00003000 fd:05 34072 /usr/lib/libXdmcp.so.6.0.0
b749b000-b749d000 r-xp 00000000 fd:05 38019 /usr/lib/libXau.so.6.0.0
b749d000-b749e000 rw-p 00001000 fd:05 38019 /usr/lib/libXau.so.6.0.0
b749e000-b74b6000 r-xp 00000000 fd:05 32797 /usr/lib/libxcb.so.1.1.0
b74b6000-b74b7000 rw-p 00017000 fd:05 32797 /usr/lib/libxcb.so.1.1.0
b74b7000-b74ba000 r-xp 00000000 fd:03 81367 /lib/libuuid.so.1.3.0
b74ba000-b74bb000 rw-p 00002000 fd:03 81367 /lib/libuuid.so.1.3.0
b74bb000-b75fb000 r-xp 00000000 fd:03 101622 /lib/i686/cmov/libc-2.11.2.so
b75fb000-b75fd000 r--p 0013f000 fd:03 101622 /lib/i686/cmov/libc-2.11.2.so
b75fd000-b75fe000 rw-p 00141000 fd:03 101622 /lib/i686/cmov/libc-2.11.2.so
b75fe000-b7602000 rw-p 00000000 00:00 0
b7602000-b760b000 r-xp 00000000 fd:03 101604
/lib/i686/cmov/libcrypt-2.11.2.so
b760b000-b760c000 r--p 00008000 fd:03 101604
/lib/i686/cmov/libcrypt-2.11.2.so
b760c000-b760d000 rw-p 00009000 fd:03 101604
/lib/i686/cmov/libcrypt-2.11.2.so
b760d000-b7634000 rw-p 00000000 00:00 0
b7634000-b7636000 r-xp 00000000 fd:03 101614 /lib/i686/cmov/libdl-2.11.2.so
b7636000-b7637000 r--p 00001000 fd:03 101614 /lib/i686/cmov/libdl-2.11.2.so
b7637000-b7638000 rw-p 00002000 fd:03 101614 /lib/i686/cmov/libdl-2.11.2.so
b7638000-b7643000 r-xp 00000000 fd:03 81509 /lib/libpam.so.0.82.3
b7643000-b7644000 rw-p 0000a000 fd:03 81509 /lib/libpam.so.0.82.3
b7644000-b7652000 r-xp 00000000 fd:05 179232 /usr/lib/libXext.so.6.4.0
b7652000-b7653000 rw-p 0000d000 fd:05 179232 /usr/lib/libXext.so.6.4.0
b7653000-b776e000 r-xp 00000000 fd:05 32941 /usr/lib/libX11.so.6.3.0Aborted
I''ve worked around this problem locally by upgrading libp11-1 to
0.2.7-3+b1 (from unstable). I worry that it will bite other users who
are running testing, though.
It''s pretty bad to leave the user''s X11 session unlocked if
they''ve
explicitly indicated that it should be locked :(
I''m not sure how to fix the problem more generally, though.
Thanks for maintaining xscreenserver for debian!
Regards,
--dkg
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, ''testing''), (200,
''unstable''), (1, ''experimental'')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xscreensaver depends on:
ii libatk1.0-0 1.32.0-3 The ATK accessibility toolkit
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libcairo2 1.10.2-6 The Cairo 2D vector graphics libra
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib
ii libglade2-0 1:2.6.4-1 library to load .glade files at ru
ii libglib2.0-0 2.28.4-1 The GLib library of C routines
ii libgtk2.0-0 2.24.3-1~sid1 The GTK+ graphical user interface
ii libice6 2:1.0.7-1 X11 Inter-Client Exchange library
ii libpam0g 1.1.2-2 Pluggable Authentication Modules l
ii libpango1.0-0 1.28.3-6 Layout and rendering of internatio
ii libsm6 2:1.2.0-1 X11 Session Management library
ii libx11-6 2:1.4.2-1 X11 client-side library
ii libxext6 2:1.2.0-2 X11 miscellaneous extension librar
ii libxinerama1 2:1.1.1-1 X11 Xinerama extension library
ii libxml2 2.7.8.dfsg-2 GNOME XML library
ii libxmu6 2:1.1.0-1 X11 miscellaneous utility library
ii libxpm4 1:3.5.9-1 X11 pixmap library
ii libxrandr2 2:1.3.1-1 X11 RandR extension library
ii libxrender1 1:0.9.6-1 X Rendering Extension client libra
ii libxt6 1:1.1.1-1 X11 toolkit intrinsics library
ii libxxf86vm1 1:1.1.1-1 X11 XFree86 video mode extension l
ii xscreensaver-data 5.11-1+b1 data files to be shared among scre
Versions of packages xscreensaver recommends:
ii libjpeg-progs 8c-1 Programs for manipulating JPEG fil
ii miscfiles [wordlist 1.4.2.dfsg.1-9 Dictionaries and other interesting
ii perl [perl5] 5.10.1-19 Larry Wall''s Practical
Extraction
ii xli 1.17.0+20061110-3+b1 command line tool for viewing imag
ii xloadimage 4.1-16.2 Graphics file viewer under X11
Versions of packages xscreensaver suggests:
pn fortune <none> (no description available)
ii iceape-browser [www-browse 2.0.13-1 Iceape Navigator (Internet browser
ii iceweasel [www-browser] 4.0-3 Web browser based on Firefox
ii konqueror [www-browser] 4:4.4.5-3 advanced file manager, web browser
ii links [www-browser] 2.3~pre1-1+b1 Web browser running in text mode
pn qcam | streamer <none> (no description available)
pn xdaliclock <none> (no description available)
pn xfishtank <none> (no description available)
pn xscreensaver-gl <none> (no description available)
-- no debconf information