Bug 598 – Crashes in passwd plugin when account locked

Bug 598 - Crashes in passwd plugin when account locked


Summary:	Crashes in passwd plugin when account locked

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.6
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-04-11 09:28 MDT by Ross Burton
Modified:	2013-04-11 11:25 MDT (History)
CC List:	0 users

See Also:

Attachments
Potential fix (1.04 KB, patch) 2013-04-11 09:30 MDT, Ross Burton	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ross Burton 2013-04-11 09:28:56 MDT

sudo 1.8.6p7 crashes in libc.so when using eglibc 2.17 if the account is locked (i.e. the password in /etc/shadow is "!").

This appears to be because crypt() in 2.17 onwards expects the salt input to be valid and will return NULL if it isn't.  In this case the existing password ew_epasswd is just "!" and not $id$salt$encrypted, so it errors out.

sudo assumes that there isn't ever an error when calling crypt(), so happily passes NULL to strcmp, which predictably crashes.

Comment 1 Ross Burton 2013-04-11 09:30:39 MDT

Created attachment 367 [details]
Potential fix

This looks like the right fix, but I'm obviously hesitant when dealing with something so security-critical as sudo!

Comment 2 Todd C. Miller 2013-04-11 11:25:26 MDT

Thanks for the detailed bug report.  I've just released sudo 1.8.6p8 which fixes this.