When presented with the prompt to enter a password the user can not
cancel the operation even with ^C. sud0_conv() in auth/pam.c calls 
tgetpass. If user enters ^C tgetpass returns a NULL, but the sudo_conv() 
sends back a zero length string to PAM. It should return something like PAM_CONV_ERR, so PAM will quit processing and return to sudo with an error.  

Some PAM modules will accept the zero length password, and try and process 
it. Radius for example may use this to start a challenge response sequence,
which will call sudo_conv() again, which the user can not cancel.
Eventually after a few more attempts at prompting the user PAM will give
up, but the user's account may now be flaged, or even locked.  
 
This fails on  at least Solaris 10, and Ubuntu with sudo-1.6.8p12.

Attached is a patch to return PAM_CONV_ERR if tgetpass returns NULL.

--- ,pam.c	Sat Feb  5 12:03:15 2005
+++ pam.c	Mon Feb 19 11:33:37 2007
@@ -218,6 +218,7 @@
     char *pass;
     int n, flags;
     extern int nil_pw;
+    int ret = PAM_SUCCESS;
 
     if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL)
 	return(PAM_CONV_ERR);
@@ -240,6 +241,8 @@
 		    nil_pw = 1;		/* empty password */
 		else
 		    zero_bytes(pass, strlen(pass));
+		if (pass == NULL) /* Interupted, user wants out clean up */
+		    ret = PAM_CONV_ERR; /* Solaris also has PAM_CONV_INTERUPT */
 		break;
 	    case PAM_TEXT_INFO:
 		if (pm->msg)
@@ -252,6 +255,9 @@
 		}
 		break;
 	    default:
+	    ret = PAM_CONV_ERR;
+	}
+	if (ret != PAM_SUCCESS) {
 		/* Zero and free allocated memory and return an error. */
 		for (pr = *response, n = num_msg; n--; pr++) {
 		    if (pr->resp != NULL) {
@@ -263,7 +269,7 @@
 		zero_bytes(*response, num_msg * sizeof(struct pam_response));
 		free(*response);
 		*response = NULL;
-		return(PAM_CONV_ERR);
+		return(ret);
 	}
     }