Ubuntu
libcap2 package

libpam-cap causes PAM applications to crash

Bug #1899103 reported by Alan Jowett
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libcap2 (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Install ocserv and setup for PAM authentication. On second connection, ocserv crashes due to a double free in PAM.

Repro steps:
1. Create Dockerfile that installs ocserv + libpam-cap
```
FROM ubuntu:20.04

RUN apt update && apt install -y ocserv libpam-cap && apt autoremove && apt clean

COPY server-cert.pem /etc/ssl/ocserv_test.cert
COPY server-key.pem /etc/ssl/ocserv_test.key
COPY ca-cert.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
COPY ocserv.conf /etc/ocserv/ocserv.conf

RUN useradd test
RUN echo "test\ntest" | passwd test

ENV MALLOC_CHECK_=3
CMD ocserv -f -d 1
```

2. Build container:
```
sudo docker build -t ocserv:20.04 .
```

3. Launch container:
```
docker run -p 443:443/tcp -p 443:443/udp -it --rm --device /dev/net/tun --cap-add net_admin ocserv:20.04
```

4. From another console, connect / disconnect:
```
while true; do echo test | openconnect https://localhost -u test --passwd-on-stdin --servercert pin-sha256:qBLVTyoXiFdn+0pW+eSGqnVCEnMbLigVf5vAl1ZewW4= --background && sleep 2 && pkill openconnect && sleep 2;done
```

5. ocserv crashes:
free(): invalid pointer
ocserv[8]: main: main-sec-mod-cmd.c:106: command socket for sec-mod closed
ocserv[8]: main: main.c:1179: error in command from sec-mod
ocserv[8]: main: termination request received; waiting for children to die

For more details see:
https://gitlab.com/openconnect/ocserv/-/issues/361

Revision history for this message
Alan Jowett (alan-jowett) wrote :
Revision history for this message
Danny (ubuntuthebest) wrote :

Confirmed the issue

Changed in libcap2 (Ubuntu):
status: New → Confirmed
Revision history for this message
S. M. Masoud Sadrnezhaad (smmsadrnezh) wrote :

I have this problem too. When I try to connect to it for the second time, it gives this error on the client-side:

Got HTTP response: HTTP/1.1 401 Authentication failed
Server 'example.com' requested Basic authentication which is disabled by default
Failed to obtain WebVPN cookie

And then the ocserv goes down on the server. If I add --http-auth=Basic option to openconnect, then it won't ask for password from me and gives the following error:

Got HTTP response: HTTP/1.1 401 Authentication failed
Content-Length: 0
HTTP body length: (0)
No more authentication methods to try
Failed to obtain WebVPN cookie

Revision history for this message
Andrew G. Morgan (morganlibcap) wrote :

Had not heard about this specifically before. Some bug fixes to pam_cap.so found by static analysis:

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=954a5ce4fdf195e062909f2c921d8f915d2905b9

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=552db8f4116df3fad4e4ebf90a9a05a77b9486fd

Perhaps they address this problem? The more recent of these two appeared in libcap-2.50.

Dan Bungert (dbungert)
Changed in libcap2 (Ubuntu):
importance: Undecided → Medium
Simon Chopin (schopin)
Changed in libcap2 (Ubuntu):
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.