uninitialized value $3 / $curmod

Bug #1160288 reported by Lorenz on 2013-03-26
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Medium
Unassigned

Bug Description

[impact]
Call of pam-auth-update raises some warnings of uninitalized variables

[test case]
install sssd libpam-sss libnss-sss and run pam-auth-update

[versions]
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise

libpam-runtime 1.1.3-7ubuntu2

[possible solution]
--- a/pam-auth-update Tue Mar 26 11:05:37 2013 +0100
+++ b/pam-auth-update Tue Mar 26 11:05:56 2013 +0100
@@ -620,8 +620,8 @@
                                ($modname,$line) = @{$saved[0]};
                                shift(@saved);
                                $line =~ /^((\[[^]]+\]|\w+)\s+\S+)\s*(.*)/;
- @prev_opts = split(/\s+/,$3);
- $curmod = $1;
+ @prev_opts = split(/\s+/, (defined $3?$3:"") );
+ $curmod = (defined $1?$1:"");
                                # FIXME: the key isn't derived from the config
                                # name, so collisions are possible if more
                                # than one config references the same module

Related branches

Steve Langasek (vorlon) wrote :

Thanks for the patch, but that's not a correct fix. $3 is never supposed to be unset here, so the root error is somewhere else.

I also can't reproduce the problem with your provided test case. You must have previous pam-auth-update settings in your environment that are contributing to the problem.

Please provide:
 - the exact output of the pam-auth-update command
 - a tarball of /etc/pam.d/common-* and /var/lib/pam

Changed in pam (Ubuntu):
status: New → Incomplete
Lorenz (lqb) wrote :

The output of pam-auth-update:

$ sudo pam-auth-update
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 623, <CURRENT> line 32.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 631, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32.

$ sudo pam-auth-update --package
Use of uninitialized value $3 in split at /usr/sbin/pam-auth-update line 623, <CURRENT> line 32.
Use of uninitialized value $curmod in quotemeta at /usr/sbin/pam-auth-update line 631, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32.
Use of uninitialized value $curmod in hash element at /usr/sbin/pam-auth-update line 653, <CURRENT> line 32

Steve Langasek (vorlon) wrote :

You appear to have a /usr/share/pam-config/mkhomedir file which doesn't come from any Ubuntu package. Could you please attach this file as well?

Steve Langasek (vorlon) wrote :

(there's also a /usr/share/pam-config/sss-password that's not packaged; I'm pretty sure the problem is with the mkhomedir' profile, but maybe you want to attach both of these while you're at it)

Lorenz (lqb) wrote :

Yes, of course.
Here they are.

Steve Langasek (vorlon) wrote :

Thanks, I've been able to reproduce the problem now, though it's rather tricky - it requires both the libpam-sss package and the mkhomedir profile that you have available locally, in order to reproduce this. (It seems that the sss profiles you have on your system come from precise-updates and don't look the same in the precise version of the package; however, this apparently has no bearing on the problem.)

Essentially, this is a problem with the handling of trailing whitespace in the pam config (/usr/share/pam-configs/mkhomedir has a whitespace-only line at the end of the file). pam-auth-update should be fixed to ignore such blank lines, and not store them to /var/lib/pam/foo, which is where the problem arises.

Changed in pam (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
Steve Langasek (vorlon) wrote :

I think this should do the job:

--- debian/local/pam-auth-update 2011-10-30 19:06:55 +0000
+++ debian/local/pam-auth-update 2013-04-15 19:06:23 +0000
@@ -686,7 +686,7 @@
   } else {
    chomp;
    s/^\s+//;
- $profile{$fieldname} .= "\n$_";
+ $profile{$fieldname} .= "\n$_" if ($_);
    $profile{$fieldname} =~ s/^[\n\s]+//;
   }
  }

Changed in pam (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.3-10ubuntu1

---------------
pam (1.1.3-10ubuntu1) trusty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/libpam0g.postinst: the init script for 'samba' is now named
      'smbd' in Ubuntu, so fix the restart handling.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix's explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - Build-depend on libfl-dev in addition to flex, for cross-building
      support.
    - Add /usr/local/games to PATH.
    - Disable libaudit for stage1 bootstrap.
    - Adjust debian/patches-applied/update-motd to write to
      /run/motd.dynamic, as sysvinit/ssh/login in Debian have been changed
      to use this file and no longer links /etc/motd to /var/run/motd.

pam (1.1.3-10) unstable; urgency=low

  * Fix pam-auth-update handling of trailing blank lines in the fields of
    profiles. LP: #1160288.
  * Reintroduce libaudit support now that libaudit has been multiarched.
    Closes: #699159.

pam (1.1.3-9) unstable; urgency=low

  * Revert libaudit support for now, because libaudit isn't multiarched yet
    in unstable so this regresses cross-installability. Reopens bug
    #699159.
  * Add an or'ed dependency on cdebconf, which also implements the
    xloadtemplatefile extension that prevents us from depending on just
    'debconf-2.0'. Thanks to Régis Boudin <email address hidden> for the info.
    Closes: #677278.
 -- Steve Langasek <email address hidden> Sun, 20 Oct 2013 18:21:34 -0700

Changed in pam (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers