[Bug 272228] libpam's openpam_subst() can crash if prompt ends with %

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272228] libpam's openpam_subst() can crash if prompt ends with %"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 26 Jun 2023 18:06:55 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272228

            Bug ID: 272228
           Summary: libpam's openpam_subst() can crash if prompt ends with
                    %
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

If a PAM user prompt ends with %, then openpam_subst() increments
template (the prompt) beyond the prompt's terminal '\0', and
(depending what's beyond the end) can eventually crash. One place such
a prompt could come from is a remote TACACS+ server.

        while (*template && ret == PAM_SUCCESS) {
                if (template[0] == '%') {
                        ++template;
                        switch (*template) {
                        ...;
                        case '\0':
                                subst_char('%');
                                break;
                        ...;
                        }
                        ++template;
                }
        }

-- 
You are receiving this mail because:
You are the assignee for the bug.