Subject: Re: PAM vulnerability in portable OpenSSH
To: Damien Miller <firstname.lastname@example.org>
From: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <email@example.com>
Date: 10/02/2003 08:41:58
Damien Miller <firstname.lastname@example.org> writes:
> Dag-Erling Sm=F8rgrav wrote:
> > XSSO page 89: "The parameter msg is a pointer to an array of length
> > num_msg of the pam_message structure".
> You don't seem to agree. The PAM code that you wrote for FreeBSD's
> OpenSSH treats msg as an array of pointers, not a pointer to an array
> of structs.
Not quite. Part of the code treats it as an array of pointers, and
part of it treats it as an array of structs. That is quite simply a
mistake that went undetected because it has no impact in the common
case (num_msg =3D=3D 1) and I don't know of any PAM modules which exercise
the uncommon case (num_msg > 1). In hindsight, of course, I should
have written such a module for testing purposes.
> See my point? One of the vulnerabilities in the recent sshpam.adv was
> due to a similar confusion.
Not "a similar confusion"; it is the exact same code (which btw was
cut'n'pasted from OpenPAM's openpam_ttyconv(3)).
Dag-Erling Sm=F8rgrav - email@example.com