Bug#1035732: marked as done (libkscreenlocker5: Endless loop when using PAM)

To: Patrick Franz <deltaone@debian.org>
Subject: Bug#1035732: marked as done (libkscreenlocker5: Endless loop when using PAM)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 24 Jul 2023 16:33:04 +0000
Message-id: <[🔎] handler.1035732.D1035732.169021634744918.ackdone@bugs.debian.org>
Reply-to: 1035732@bugs.debian.org
References: <E1qNyTw-00Cb92-3G@fasolo.debian.org> <c30f3202-81ac-32b7-47c2-2e14498a772d@kit.edu>

Your message dated Mon, 24 Jul 2023 16:32:24 +0000
with message-id <E1qNyTw-00Cb92-3G@fasolo.debian.org>
and subject line Bug#1035732: fixed in kscreenlocker 5.20.5-1+deb11u1
has caused the Debian Bug report #1035732,
regarding libkscreenlocker5: Endless loop when using PAM
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035732: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035732
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libkscreenlocker5: Endless loop when using PAM
From: "Poenicke, Andreas (TKM)" <andreas.poenicke@kit.edu>
Date: Mon, 8 May 2023 14:15:17 +0200
Message-id: <c30f3202-81ac-32b7-47c2-2e14498a772d@kit.edu>

Package: libkscreenlocker5
Version: 5.20.5-1
Severity: critical
Tags: patch upstream
Justification: breaks the whole system

Dear Maintainer,

* What led up to the situation?

A variation of upstream bug report https://bugs.kde.org/show_bug.cgi?id=438099

pam-configuration with
	auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
	auth    [success=1 default=ignore]      pam_unix.so nullok try_first_pass
	auth    requisite                       pam_deny.so
and
pressing "enter" to unlock the screen without entering a password.

   * What was the outcome of this action?

Endless loop of

kcheckpass[74114]: pam_krb5(kde:auth): pam_sm_authenticate: entry
kcheckpass[74114]: pam_krb5(kde:auth): (user XXXX) error getting password: Conversation error
kcheckpass[74114]: pam_krb5(kde:auth): authentication failure; logname=XXXX uid=XXXX euid=XXXX tty=:1 ruser= rhost=
kcheckpass[74114]: pam_krb5(kde:auth): pam_sm_authenticate: exit (failure)
kcheckpass[74114]: pam_unix(kde:auth): conversation failed
kcheckpass[74114]: pam_unix(kde:auth): auth could not identify password for [XXXX]

(here more than 250 times / second)
till next unlock attempt with a password.
Flooding /var/log/auth.log and central authentication services.
(Thus an unintentional "enter" on a locked screen can result in at least  completely filled disks.)


* What outcome did you expect instead?

Authentication failure.

Please include the short patch
https://invent.kde.org/plasma/kscreenlocker/-/commit/fca315cf72826f93eda7a026016b33818b9d1f39
to kscreenlocker-5.20.5 in bullseye.

The critical part has been completely rewritten in kscreenlocker-5.27.2
(testing) and the problem probably doesn't apply there.

Best regards,
Andreas Poenicke

BTW:
Hotfix:

Separate /etc/pam.d/kde configuration with "use_first_pass" instead of
"try_first_pass", like

auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=1 default=ignore]      pam_unix.so use_first_pass
auth    requisite                       pam_deny.so

Which should be ok for kscreenlocker in most cases.





-- System Information:
Debian Release: 11.7
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-22-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:de
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libkscreenlocker5 depends on:
ii  kpackagetool5          5.78.0-3
ii  libc6                  2.31-13+deb11u6
ii  libkf5configcore5      5.78.0-4
ii  libkf5configgui5       5.78.0-4
ii  libkf5coreaddons5      5.78.0-4
ii  libkf5crash5           5.78.0-3
ii  libkf5declarative5     5.78.0-2
ii  libkf5globalaccel-bin  5.78.0-3
ii  libkf5globalaccel5     5.78.0-3
ii  libkf5i18n5            5.78.0-2
ii  libkf5idletime5        5.78.0-2
ii  libkf5notifications5   5.78.0-2
ii  libkf5package5         5.78.0-3
ii  libkf5quickaddons5     5.78.0-2
ii  libkf5waylandclient5   4:5.78.0-2
ii  libkf5waylandserver5   4:5.78.0-2
ii  libkf5windowsystem5    5.78.0-2
ii  libkf5xmlgui5          5.78.0-2
ii  libpam0g               1.4.0-9+deb11u1
ii  libqt5core5a           5.15.2+dfsg-9
ii  libqt5dbus5            5.15.2+dfsg-9
ii  libqt5gui5             5.15.2+dfsg-9
ii  libqt5network5         5.15.2+dfsg-9
ii  libqt5qml5             5.15.2+dfsg-6
ii  libqt5quick5           5.15.2+dfsg-6
ii  libqt5widgets5         5.15.2+dfsg-9
ii  libqt5x11extras5       5.15.2-2
ii  libstdc++6             10.2.1-6
ii  libwayland-client0     1.18.0-2~exp1.1
ii  libwayland-server0     1.18.0-2~exp1.1
ii  libx11-6               2:1.7.2-1
ii  libxcb-keysyms1        0.4.0-1+b2
ii  libxcb1                1.14-3
ii  libxi6                 2:1.7.10-1
ii  psmisc                 23.4-2

Versions of packages libkscreenlocker5 recommends:
ii  kde-config-screenlocker  5.20.5-1

libkscreenlocker5 suggests no packages.

-- no debconf information

--
Karlsruher Institut für Technologie
Institut für Theoretische Festkörperphysik
Institut für Theorie der Kondensierten Materie

Dr. Andreas Poenicke
Wolfgang-Gaede-Str. 1, Gebäude 30.23, D-76128 Karlsruhe
Telefon: +49-721-608-43365		Fax: +49-721-608-47040
E-Mail: andreas.poenicke@kit.edu	WWW: www.tfp.kit.edu

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft

--- End Message ---

--- Begin Message ---

To: 1035732-close@bugs.debian.org
Subject: Bug#1035732: fixed in kscreenlocker 5.20.5-1+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 24 Jul 2023 16:32:24 +0000
Message-id: <E1qNyTw-00Cb92-3G@fasolo.debian.org>
Reply-to: Patrick Franz <deltaone@debian.org>

Source: kscreenlocker
Source-Version: 5.20.5-1+deb11u1
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
kscreenlocker, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1035732@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated kscreenlocker package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 17 May 2023 22:40:20 +0200
Source: kscreenlocker
Architecture: source
Version: 5.20.5-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1035732
Changes:
 kscreenlocker (5.20.5-1+deb11u1) bullseye; urgency=medium
 .
   * Fix authentication error when using PAM (Closes: #1035732).
Checksums-Sha1:
 b2c6bc81f08754b9517fd90b5a600dc9b355c36e 3206 kscreenlocker_5.20.5-1+deb11u1.dsc
 87f9e215b3d630c2d34737aaab7ef99d2ffbada0 15392 kscreenlocker_5.20.5-1+deb11u1.debian.tar.xz
 89e4ea09e43367ebcdade65edc49939b9d90c8e0 13198 kscreenlocker_5.20.5-1+deb11u1_source.buildinfo
Checksums-Sha256:
 1aecc40ad07bb00799e2a4271917024a58aa5fd9288c760a39dc6ae30e8eae55 3206 kscreenlocker_5.20.5-1+deb11u1.dsc
 4d5ed4f1ac462320e0a2e18e38dfd77906886c3e0a5c592f18bdeaff0699f954 15392 kscreenlocker_5.20.5-1+deb11u1.debian.tar.xz
 56ded661de221d794437273644ff6985c3f84f38cb54ad77190d1de0e5996e7c 13198 kscreenlocker_5.20.5-1+deb11u1_source.buildinfo
Files:
 b7ab04a7dab02d72bd8162f6ae05ed81 3206 libs optional kscreenlocker_5.20.5-1+deb11u1.dsc
 9112e877a7f672dcb557a670748a70db 15392 libs optional kscreenlocker_5.20.5-1+deb11u1.debian.tar.xz
 e92eb84f89d694ffa7c3330a9bd5f2fa 13198 libs optional kscreenlocker_5.20.5-1+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmS9IxQACgkQnp96YDB3
/lYUUw/+Lbhv0QdMYsccchUCFUX2GFgFrgaoCMsWntg2lczODHqJjt/O1m198I5t
24/VeBF17EkyaRQYD7zPj7+xD1oONvn+IEwtZHEHOYmliK/PZW/rXlG7AcDCuRrX
2zwCK0sxTZHxv38MSut3l6vTAtXKFSRoSQ0jVxzq1eZIk+JKR00mp/In8GT7okVb
Me11FGENl+vkN1xp2oV8N3NQsw7PDPZYiIZpbb0KGr4Kgf7Gkui8XB/KE39U7L9A
SnRZNuNb0zUq/GyeBvZ7aqYcVxViv5viltdPGmr5ry0q2y9+/tDqE+C1xG44TBGc
NU/JXE3aCef64vyCATVowiK4ioMnR4cNH22/Pkrh1aO91Po0CRdpsaNnVh4Ok4Li
Km6zb359cH074kyhzcY2NxzETNyvFaNT5oawcLwqwOtdKt/btVkdWiP57iyKvPmJ
sn0i2NHj9vDQ/v6dlxHseqXnb51Nrb5ksfjFpGJEmgTs7uFMq1VKtt0t4k6Fj+69
LcqjU4DI4Hpytlrk3ZR6u9I3aiwSQsa77Yh9HogUbiE4K90No9HrU8oG1Ntg2A76
icSSjm2WK4YZtdBbycXI9rz7g1N7XyPu3XCJZcv73B61092b60aGakTFecjolPUK
xXJRJkaI6BL3Bu50IY2XNQKRpvY6bOvooDwlc0aWc2VcUX0J0iQ=
=gzEo
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processed: forwarded [conffiles-reduction]
Next by Date: kscreenlocker_5.20.5-1+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Previous by thread: Processed: forwarded [conffiles-reduction]
Next by thread: kscreenlocker_5.20.5-1+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Index(es):
- Date
- Thread