Subject: Re: PAM vulnerability in portable OpenSSH
To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no>
From: Damien Miller <djm@mindrot.org>
List: current-users
Date: 10/02/2003 09:59:10
Dag-Erling Smørgrav wrote:
> Damien Miller <djm@mindrot.org> writes:
>
>>The PAM spec is silent on the meanings of the arguments to the
>>conversation function (a really sad state of affairs for a security
>>technology).
>
> XSSO page 89: "The parameter msg is a pointer to an array of length
> num_msg of the pam_message structure".
You don't seem to agree. The PAM code that you wrote for FreeBSD's
OpenSSH treats msg as an array of pointers, not a pointer to an array
of structs.
http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/auth2-pam-freebsd.c?rev=1.13
(scroll down to pam_thread_conv)
See my point? One of the vulnerabilities in the recent sshpam.adv was
due to a similar confusion.
-d