Bug#418212: libpam-opie: Missing mandatory call to opieverify() after opiechallenge()

Sat, 07 Apr 2007 18:59:40 -0700 

Package: libpam-opie
Version: 0.21-8
Severity: normal
Tags: patch

According to the preamble to opiechallenge() in the libopie source you
"MUST call opieverify() to clear the lock and any internal state" even if
the challenge fails.  This is not done in libpam-opie.

The attached patch fixes this coding error and removes the '-Wtraditional'
compilation flag that was generating spurious ISO C style warnings with
recent versions of gcc.

I found that the missing opieverify() problem was first identified by Matt
Johnston in the (otherwise unrelated) wishlist bug #237814.

-- Brad

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (1000, 'testing'), (80, 'unstable'), (60, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.2
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-opie depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l

Versions of packages libpam-opie recommends:
hi  opie-server                   2.32-10.2  OPIE programs for maintaining an O

-- no debconf information

Common subdirectories: libpam-opie-0.21/debian and libpam-opie-0.21-9/debian
Only in libpam-opie-0.21-9/: dynamic
Only in libpam-opie-0.21-9/: install-stamp
diff -uBb libpam-opie-0.21/Makefile libpam-opie-0.21-9/Makefile
--- libpam-opie-0.21/Makefile	2007-04-07 21:33:31.000000000 -0400
+++ libpam-opie-0.21-9/Makefile	2007-04-07 21:27:17.000000000 -0400
@@ -25,7 +25,7 @@
 export CC=gcc
 export CFLAGS=-O2 -Dlinux -DLINUX_PAM \
        -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \
-       -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \
+       -Wpointer-arith -Wcast-qual -Wcast-align \
        -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \
        -Wshadow -pedantic -fPIC
 export MKDIR=mkdir -p
diff -uBb libpam-opie-0.21/pam_opie.c libpam-opie-0.21-9/pam_opie.c
--- libpam-opie-0.21/pam_opie.c	2007-04-07 21:33:31.000000000 -0400
+++ libpam-opie-0.21-9/pam_opie.c	2007-04-07 21:27:26.000000000 -0400
@@ -29,6 +29,7 @@
 #define PAM_SM_AUTH
 #include <security/pam_modules.h>
 #include <stdlib.h>
+#include <string.h>
 #include <opie.h>
 
 int converse(pam_handle_t*, int, struct pam_message**, struct pam_response**);
@@ -95,6 +96,7 @@
 	retval = opiechallenge(&opie, principal, challenge);
 	if (principal != NULL) free(principal);
 	if ((retval < 0) || (retval > 1)) {
+		opieverify(&opie, NULL); /* Must always call opieverify before returning */
 		return PAM_AUTHINFO_UNAVAIL;
 	}
 	knownuser = (retval == 0) ? 1 : 0;
@@ -106,8 +108,10 @@
 	msg[0].msg = challenge;
 	resp = NULL;
 	retval = converse(pamh, 1, pmsg, &resp);
-	if (retval != PAM_SUCCESS)
+	if (retval != PAM_SUCCESS) {
+		opieverify(&opie, NULL); /* Must always call opieverify before returning */
 		return retval;
+	}
 	tok = xstrdup(resp[0].resp);
 	if (resp != NULL) free(resp);
 	pam_set_item(pamh, PAM_AUTHTOK, tok);

Reply via email to