From owner-freebsd-bugs Mon Mar 13 11: 0:13 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 3713037B862 for ; Mon, 13 Mar 2000 11:00:04 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA43029; Mon, 13 Mar 2000 11:00:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from ajk-5.waterspout.com (verbal.uits.iupui.edu [149.166.240.10]) by hub.freebsd.org (Postfix) with ESMTP id 52C1737BDD5 for ; Mon, 13 Mar 2000 10:56:29 -0800 (PST) (envelope-from ajk@ajk-5.waterspout.com) Received: (from ajk@localhost) by ajk-5.waterspout.com (8.9.3/8.9.3) id NAA02840; Mon, 13 Mar 2000 13:56:43 -0500 (EST) (envelope-from ajk) Message-Id: <200003131856.NAA02840@ajk-5.waterspout.com> Date: Mon, 13 Mar 2000 13:56:43 -0500 (EST) From: ajk@iu.edu Reply-To: ajk@iu.edu To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/17360: [PATCH] Cleanup bug in pam_ssh Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17360 >Category: bin >Synopsis: [PATCH] Cleanup bug in pam_ssh >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Mar 13 11:00:02 PST 2000 >Closed-Date: >Last-Modified: >Originator: Andrew J. Korty >Release: FreeBSD 4.0-CURRENT i386 >Organization: IT Security Office, Indiana University >Environment: FreeBSD ajk-5.waterspout.com 4.0-CURRENT FreeBSD 4.0-CURRENT #5: Sat Mar 11 13:28:16 EST 2000 ajk@kujan.uits.iupui.edu:/usr/src/sys/compile/KUJAN i386 >Description: [Sorry to submit this right after the tag went down, but I just noticed it.] Since pam_ssh is unable to use the libc environment calls (long story), it uses a linked list to manage the environment on its own. The list was not getting freed properly, which could cause a memory leak in PAM applications that use this module. This patch also ensures strict modes on the file containing ssh-agent environment strings created in the user's ~/.ssh directory. >How-To-Repeat: Look at the env_destroy() function and see how it can't possibly work. :-) >Fix: Apply this patch against src/crypto/openssh/pam_ssh/pam_ssh.c. Index: pam_ssh.c =================================================================== RCS file: /var/cvs/src/crypto/openssh/pam_ssh/pam_ssh.c,v retrieving revision 1.3 diff -U2 -r1.3 pam_ssh.c --- pam_ssh.c 2000/02/26 09:59:14 1.3 +++ pam_ssh.c 2000/03/13 18:36:44 @@ -1,4 +1,4 @@ /*- - * Copyright (c) 1999 Andrew J. Korty + * Copyright (c) 1999, 2000 Andrew J. Korty * All rights reserved. * @@ -31,4 +31,5 @@ #include #include +#include #include @@ -121,5 +122,5 @@ static int -env_put(ENV *self, char *s) +env_put(ENV *self, const char *s) { struct env_entry *env; @@ -137,5 +138,5 @@ static void -env_swap(ENV *self, int which) +env_swap(const ENV *self, int which) { environ = which ? self->e_environ_new : self->e_environ_orig; @@ -174,7 +175,8 @@ env_swap(self, 0); - SLIST_FOREACH(p, &self->e_head, ee_entries) { + while ((p = SLIST_FIRST(&self->e_head))) { free(p->ee_env); free(p); + SLIST_REMOVE_HEAD(&self->e_head, ee_entries); } if (self->e_committed) @@ -366,5 +368,6 @@ saved_uid = geteuid(); (void)seteuid(pwent->pw_uid); - env_fp = fopen(env_file, "w"); + if ((env_fp = fopen(env_file, "w"))) + (void)chmod(env_file, S_IRUSR); pipe = popen(PATH_SSH_AGENT, "r"); (void)seteuid(saved_uid); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message