apr-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47272] New: crypt() can fail but apr-util doesn't check that and thus app segfaults
Date Wed, 27 May 2009 10:15:50 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47272

           Summary: crypt() can fail but apr-util doesn't check that and
                    thus app segfaults
           Product: APR
           Version: 1.3.4
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: APR-util
        AssignedTo: bugs@apr.apache.org
        ReportedBy: arekm@pld-linux.org


Created an attachment (id=23718)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23718)
don't segfault when crypt() fails

apr_password_validate() in apr-util doesn't verify that crypt() succeeded. It's
very, very uncommon for crypt() to fail but it's possible.

glibc 2.10.1 is able to use nss functions as backend for crypt(). nss library
is "smart" enough to verify itself via special "chk" file. If chk file doesn't
exist or is not readable (due to apparmor/selinux) then crypt() in glibc will
simply return NULL.

I also have man page which says:
"RETURN VALUE
       A pointer to the encrypted password is returned.  On error, NULL is
returned.
"

On my setup chk file from nss was not readable thus making mod_authn_xxx module
segfault.

Attached simple patch prevents segfault from happening.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org


Mime
View raw message