Ubuntu
php-auth-pam package

pam_auth: ALERT - canary mismatch on efree() - heap overflow detected

Bug #387963 reported by JL
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php-auth-pam (Ubuntu)
New
Undecided
Unassigned

Bug Description

Running the attached PHP program with a correct username and password gives:

1: 1:
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file 'unknown')

strace shows it uses /etc/pam.d/other, which just includes the common-* setups, which in my case is a standard pam_ldap setup.

$ apt-cache policy php5-auth-pam
php5-auth-pam:
  Installed: 0.4-10
  Candidate: 0.4-10
  Version table:
 *** 0.4-10 0
        500 http://gb.archive.ubuntu.com jaunty/universe Packages
        100 /var/lib/dpkg/status

$ apt-cache policy php5
php5:
  Installed: 5.2.6.dfsg.1-3ubuntu4.1
  Candidate: 5.2.6.dfsg.1-3ubuntu4.1
  Version table:
 *** 5.2.6.dfsg.1-3ubuntu4.1 0
        500 http://gb.archive.ubuntu.com jaunty-updates/main Packages
        500 http://security.ubuntu.com jaunty-security/main Packages
        100 /var/lib/dpkg/status
     5.2.6.dfsg.1-3ubuntu4 0
        500 http://gb.archive.ubuntu.com jaunty/main Packages

I have just built a virgin Ubuntu system, with:
$ apt-cache policy php5
php5:
  Installed: 5.2.4-2ubuntu5.6
  Candidate: 5.2.4-2ubuntu5.6
  Version table:
 *** 5.2.4-2ubuntu5.6 0
        500 http://gb.archive.ubuntu.com hardy-updates/main Packages
        500 http://security.ubuntu.com hardy-security/main Packages
        100 /var/lib/dpkg/status
     5.2.4-2ubuntu5 0
        500 http://gb.archive.ubuntu.com hardy/main Packages
$ apt-cache policy php5-auth-pam
php5-auth-pam:
  Installed: 0.4-10
  Candidate: 0.4-10
  Version table:
 *** 0.4-10 0
        500 http://gb.archive.ubuntu.com hardy/universe Packages
        100 /var/lib/dpkg/status
... which also shows the same problem. This system is using a completely unmodified pam setup (i.e. pam_unix).

Revision history for this message
JL (b-launchpad-rrod-net) wrote :
Revision history for this message
Gregory Colpart (evolix) (reg-evolix) wrote :

Hello,

Bug is in arguments handling:

--8<--
        cnt = ARG_COUNT(ht);
        switch (cnt) {
                case 2:
                        if (zend_get_parameters_ex(2, &username, &password)==FAILURE) {
                                RETURN_FALSE;
                        }
                        break;
                case 3:
                        if (zend_get_parameters_ex(3, &username, &password, &status) == FAILURE) {
                                RETURN_FALSE;
                        }
                        if (!PZVAL_IS_REF(*status)) {
                                php_error(E_WARNING, "Error variable must be passed by reference");
                                RETURN_FALSE;
                        }
                        pval_destructor(*status);
                        break;
                default:
                        WRONG_PARAM_COUNT;
                        break;
        }
--8<--

Dirty workarounds :
- don't use third args. use only two args.
- Comment "pval_destructor(*status);" line and rebuild the package.

Revision history for this message
Gregory Colpart (evolix) (reg-evolix) wrote :

After workarounds, here is patch.

Revision history for this message
Gregory Colpart (evolix) (reg-evolix) wrote :

Oops, last patch is broken, please ignore it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.