From ajk@ajk-5.waterspout.com  Mon Mar 13 10:56:37 2000
Return-Path: <ajk@ajk-5.waterspout.com>
Received: from ajk-5.waterspout.com (verbal.uits.iupui.edu [149.166.240.10])
	by hub.freebsd.org (Postfix) with ESMTP id 52C1737BDD5
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Mar 2000 10:56:29 -0800 (PST)
	(envelope-from ajk@ajk-5.waterspout.com)
Received: (from ajk@localhost)
	by ajk-5.waterspout.com (8.9.3/8.9.3) id NAA02840;
	Mon, 13 Mar 2000 13:56:43 -0500 (EST)
	(envelope-from ajk)
Message-Id: <200003131856.NAA02840@ajk-5.waterspout.com>
Date: Mon, 13 Mar 2000 13:56:43 -0500 (EST)
From: ajk@iu.edu
Sender: ajk@ajk-5.waterspout.com
Reply-To: ajk@iu.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] Cleanup bug in pam_ssh
X-Send-Pr-Version: 3.2

>Number:         17360
>Category:       bin
>Synopsis:       [PATCH] Cleanup bug in pam_ssh
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 13 11:00:02 PST 2000
>Closed-Date:    Tue Mar 19 16:03:22 PST 2002
>Last-Modified:  Tue Mar 19 16:03:22 PST 2002
>Originator:     Andrew J. Korty
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
IT Security Office, Indiana University
>Environment:

FreeBSD ajk-5.waterspout.com 4.0-CURRENT FreeBSD 4.0-CURRENT #5:
Sat Mar 11 13:28:16 EST 2000
ajk@kujan.uits.iupui.edu:/usr/src/sys/compile/KUJAN  i386

>Description:

[Sorry to submit this right after the tag went down, but I just
noticed it.]

Since pam_ssh is unable to use the libc environment calls (long
story), it uses a linked list to manage the environment on its own.
The list was not getting freed properly, which could cause a memory
leak in PAM applications that use this module.

This patch also ensures strict modes on the file containing ssh-agent
environment strings created in the user's ~/.ssh directory.

>How-To-Repeat:

Look at the env_destroy() function and see how it can't possibly
work.  :-)

>Fix:

Apply this patch against src/crypto/openssh/pam_ssh/pam_ssh.c.

Index: pam_ssh.c
===================================================================
RCS file: /var/cvs/src/crypto/openssh/pam_ssh/pam_ssh.c,v
retrieving revision 1.3
diff -U2 -r1.3 pam_ssh.c
--- pam_ssh.c	2000/02/26 09:59:14	1.3
+++ pam_ssh.c	2000/03/13 18:36:44
@@ -1,4 +1,4 @@
 /*-
- * Copyright (c) 1999 Andrew J. Korty
+ * Copyright (c) 1999, 2000 Andrew J. Korty
  * All rights reserved.
  *
@@ -31,4 +31,5 @@
 #include <sys/param.h>
 #include <sys/queue.h>
+#include <sys/stat.h>
 
 #include <fcntl.h>
@@ -121,5 +122,5 @@
 
 static int
-env_put(ENV *self, char *s)
+env_put(ENV *self, const char *s)
 {
 	struct env_entry	*env;
@@ -137,5 +138,5 @@
 
 static void
-env_swap(ENV *self, int which)
+env_swap(const ENV *self, int which)
 {
 	environ = which ? self->e_environ_new : self->e_environ_orig;
@@ -174,7 +175,8 @@
 
 	env_swap(self, 0);
-	SLIST_FOREACH(p, &self->e_head, ee_entries) {
+	while ((p = SLIST_FIRST(&self->e_head))) {
 		free(p->ee_env);
 		free(p);
+		SLIST_REMOVE_HEAD(&self->e_head, ee_entries);
 	}
 	if (self->e_committed)
@@ -366,5 +368,6 @@
 	saved_uid = geteuid();
 	(void)seteuid(pwent->pw_uid);
-	env_fp = fopen(env_file, "w");
+	if ((env_fp = fopen(env_file, "w")))
+		(void)chmod(env_file, S_IRUSR);
 	pipe = popen(PATH_SSH_AGENT, "r");
 	(void)seteuid(saved_uid);

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kris 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Aug 7 07:36:42 PDT 2000 
Responsible-Changed-Why:  
Johan Karlsson says that this seems to be fixed in rev 1.7 of 
src/crypto/openssh/pam_ssh/pam_ssh.c; over to the ssh 
maintainer for further investigation. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17360 
Responsible-Changed-From-To: kris->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Nov 12 18:30:18 PST 2000 
Responsible-Changed-Why:  
Green is taking over OpenSSH 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17360 
State-Changed-From-To: open->closed 
State-Changed-By: green 
State-Changed-When: Tue Mar 19 16:03:07 PST 2002 
State-Changed-Why:  
This is majorly obsolete. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17360 
>Unformatted:
