[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)

"Livingston, John A" <john.a.livingston@boeing.com> writes:
> On Jun 6, 2012, at 4:59 PM, Russ Allbery wrote:

>> Can you try running sshd -d under valgrind and see if it can spot where
>> the memory corruption is happening?

> Below are two valgrind runs (without and with -v, depending on how much
> address spam you'd like to read) with password auth being attempted. In
> general kfree.c around line 400 seems fraught with danger.

Aha!  Do you have the keytab PAM option set either in the PAM
configuration or in krb5.conf?

MIT Kerberos appears to have a bug where krb5_verify_init_creds
unconditionally frees the server krb5_principal argument even if it was
passed in by the caller, resulting in a double-free in the pam-krb5 module
when the keytab option is set.

This bug appears to have been introduced in commit
caf1fdd98690019d9ac9f56125f4916cfbdfd2d4 which was applied as a patch in
the krb5 package in Debian even though that change wasn't in 1.10.1.  It
looks like that bug isn't in any released version of Kerberos, but the
Debian package will need a new release to fix it.  I'll copy Sam so that
he's aware and also file an upstream bug.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: