Ubuntu
pam package

uninitialized value $3 / $curmod

Bug #1160288 reported by Lorenz
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

[impact]
Call of pam-auth-update raises some warnings of uninitalized variables

[test case]
install sssd libpam-sss libnss-sss and run pam-auth-update

[versions]
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise

libpam-runtime 1.1.3-7ubuntu2

[possible solution]
--- a/pam-auth-update Tue Mar 26 11:05:37 2013 +0100
+++ b/pam-auth-update Tue Mar 26 11:05:56 2013 +0100
@@ -620,8 +620,8 @@
                                ($modname,$line) = @{$saved[0]};
                                shift(@saved);
                                $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/;
- @prev_opts = split(/\s+/,$3);
- $curmod = $1;
+ @prev_opts = split(/\s+/, (defined $3?$3:"") );
+ $curmod = (defined $1?$1:"");
                                # FIXME: the key isn't derived from the config
                                # name, so collisions are possible if more
                                # than one config references the same module

Related branches

lp://staging/debian/pam
Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks for the patch, but that's not a correct fix. $3 is never supposed to be unset here, so the root error is somewhere else.

I also can't reproduce the problem with your provided test case. You must have previous pam-auth-update settings in your environment that are contributing to the problem.

Please provide:
 - the exact output of the pam-auth-update command
 - a tarball of /etc/pam.d/common-* and /var/lib/pam

Changed in pam (Ubuntu):
status: New → Incomplete
Revision history for this message
Lorenz (lqb) wrote :

The output of pam-auth-update:

$ sudo pam-auth-update
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 623, <CURRENT> line 32.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 631, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32.

$ sudo pam-auth-update --package
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 623, <CURRENT> line 32.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 631, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32

Revision history for this message
Steve Langasek (vorlon) wrote :

You appear to have a /usr/share/pam-config/mkhomedir file which doesn't come from any Ubuntu package. Could you please attach this file as well?

Revision history for this message
Steve Langasek (vorlon) wrote :

(there's also a /usr/share/pam-config/sss-password that's not packaged; I'm pretty sure the problem is with the mkhomedir' profile, but maybe you want to attach both of these while you're at it)

Revision history for this message
Lorenz (lqb) wrote :

Yes, of course.
Here they are.

Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks, I've been able to reproduce the problem now, though it's rather tricky - it requires both the libpam-sss package and the mkhomedir profile that you have available locally, in order to reproduce this. (It seems that the sss profiles you have on your system come from precise-updates and don't look the same in the precise version of the package; however, this apparently has no bearing on the problem.)

Essentially, this is a problem with the handling of trailing whitespace in the pam config (/usr/share/pam-configs/mkhomedir has a whitespace-only line at the end of the file). pam-auth-update should be fixed to ignore such blank lines, and not store them to /var/lib/pam/foo, which is where the problem arises.

Changed in pam (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote :

I think this should do the job:

--- debian/local/pam-auth-update 2011-10-30 19:06:55 +0000
+++ debian/local/pam-auth-update 2013-04-15 19:06:23 +0000
@@ -686,7 +686,7 @@
   } else {
    chomp;
    s/^\s+//;
- $profile{$fieldname} .= "\n$_";
+ $profile{$fieldname} .= "\n$_" if ($_);
    $profile{$fieldname} =~ s/^[\n\s]+//;
   }
  }

Changed in pam (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.3-10ubuntu1

---------------
pam (1.1.3-10ubuntu1) trusty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/libpam0g.postinst: the init script for 'samba' is now named
      'smbd' in Ubuntu, so fix the restart handling.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix's explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - Build-depend on libfl-dev in addition to flex, for cross-building
      support.
    - Add /usr/local/games to PATH.
    - Disable libaudit for stage1 bootstrap.
    - Adjust debian/patches-applied/update-motd to write to
      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
      to use this file and no longer links /etc/motd to /var/run/motd.

pam (1.1.3-10) unstable; urgency=low

  * Fix pam-auth-update handling of trailing blank lines in the fields of
    profiles. LP: #1160288.
  * Reintroduce libaudit support now that libaudit has been multiarched.
    Closes: #699159.

pam (1.1.3-9) unstable; urgency=low

  * Revert libaudit support for now, because libaudit isn't multiarched yet
    in unstable so this regresses cross-installability. Reopens bug
    #699159.
  * Add an or'ed dependency on cdebconf, which also implements the
    xloadtemplatefile extension that prevents us from depending on just
    'debconf-2.0'. Thanks to Régis Boudin <email address hidden> for the info.
    Closes: #677278.
 -- Steve Langasek <email address hidden> Sun, 20 Oct 2013 18:21:34 -0700

Changed in pam (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.