current-users: Re: PAM vulnerability in portable OpenSSH

Subject: Re: PAM vulnerability in portable OpenSSH
To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>
From: Damien Miller <djm@mindrot.org>
List: current-users
Date: 10/02/2003 09:59:10

Dag-Erling Smørgrav wrote:
> Damien Miller <djm@mindrot.org> writes:
> 
>>The PAM spec is silent on the meanings of the arguments to the
>>conversation function (a really sad state of affairs for a security
>>technology).
> 
> XSSO page 89: "The parameter msg is a pointer to an array of length
> num_msg of the pam_message structure".

You don't seem to agree. The PAM code that you wrote for FreeBSD's
OpenSSH treats msg as an array of pointers, not a pointer to an array
of structs.

http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/auth2-pam-freebsd.c?rev=1.13

(scroll down to pam_thread_conv)

See my point? One of the vulnerabilities in the recent sshpam.adv was
due to a similar confusion.

-d