sudo crashed with SIGSEGV in BN_is_zero() when using ECDSA keys with libpam-ssh-agent-auth
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-ssh-agent-auth (Debian) |
Fix Released
|
Unknown
|
|||
pam-ssh-agent-auth (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Eoan |
Won't Fix
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
sudoers and pam sudo file attached. Steps to reproduce follow.
All operating systems except ubuntu 19.10 and 20.04 seem to work. This includes ubuntu 18.04, fedora 21, and centos 8. Copying pam-ssh-
$ sudo diff /etc/sudoers{
8a9
> Defaults env_keep+
$ sudo diff /etc/pam.
2a3
> auth sufficient pam_ssh_
$ rm .ssh/* && ssh-add -D
All identities removed.
$ ssh-keygen -N '' -q -f .ssh/id_rsa && ln -f .ssh/{id_
Identity added: /home/user/
$ sudo -K; sudo id
uid=0(root) gid=0(root) groups=0(root)
Up to here works on everything I can find and serves to validate your config is working. Let’s try ECDSA now:
$ rm -f .ssh/* && ssh-add -D
All identities removed.
$ ssh-keygen -N '' -q -t ECDSA -f .ssh/id_ecdsa && ln -f .ssh/{id_
Identity added: /home/user/
Crashes on 19.10-latest:
$ sudo -K; sudo id
Segmentation fault (core dumped)
$ dpkg-query -W libpam-
libpam-
sudo 1.8.27-1ubuntu4.1
Works fine (same as RSA above) on 18.04.04-latest:
$ dpkg-query -W libpam-
libpam-
sudo 1.8.21p2-3ubuntu1.2
Marking this security related in case it's exploitable because I don't have time to check. (sorry! SIGSEGV in pam makes me nervous)
ProblemType: Crash
DistroRelease: Ubuntu 20.04
Package: sudo 1.8.31-1ubuntu1
ProcVersionSign
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sat Mar 28 10:22:49 2020
ExecutablePath: /usr/bin/sudo
InstallationDate: Installed on 2020-03-28 (0 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200324)
ProcCmdline: sudo id
ProcEnviron: Error: [Errno 13] Permission denied: 'environ'
ProcMaps: Error: [Errno 13] Permission denied: 'maps'
SegvAnalysis: Failure: invalid literal for int() with base 16: 'Error:'
Signal: 11
SourcePackage: sudo
StacktraceTop:
BN_is_zero () from /lib/x86_
?? () from /lib/x86_
ssh_ecdsa_verify () from /lib/x86_
userauth_
pamsshagentaut
Title: sudo crashed with SIGSEGV in BN_is_zero()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo
VisudoCheck:
/etc/sudoers: parsed OK
/etc/sudoers.
mtime.conffile.
mtime.conffile.
separator:
tags: | removed: need-amd64-retrace |
description: | updated |
Changed in pam-ssh-agent-auth (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in pam-ssh-agent-auth (Debian): | |
status: | Unknown → New |
Changed in pam-ssh-agent-auth (Debian): | |
status: | New → Fix Released |
Correction: segv on debian 10, too. I'm sure you know better how to loop them in than I do.