lightdm crashed with SIGSEGV in _pam_winbind_change_pwd() when password is expiring

Bug #1003296 reported by Luca Lorenzetto on 2012-05-23
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Bryan Quigley
Precise
High
Unassigned
Quantal
Undecided
Unassigned

Bug Description

My precise client is member of a Windows Domain. A domain user can login using samba/winbind without problem in tty and via lightdm if the user password is ok.

If the password is expiring a domain user logs in correctly via TTY, with a message "Your password is expiring in 10 days". if tries with lightdm the user gets the message "Your password is expiring in 10 days", but then returns to the username request.

On /var/log/syslog i get:

May 23 08:50:52 tv52605 kernel: [ 1046.645230] lightdm[2415]: segfault at 0 ip b73d976a sp bfd66fa8 error 4 in libc-2.15.so[b729c000+19f000]

for each time the user tries to login with the domain user credentials.

Expected behaviour:

the user sees the message "Your password is expiring in 10 days", then logs in (like gdm in ubuntu 10.04 does).

I attach the crash file i found in /var/crash/ (that i'm unable to send via apport-bug tue to same strange bug)

[Impact]

 * This bug makes users unable to login via the LightDM interface when their password is close to expiring.

 * This upload just checks for a null reference so that LightDM won't crash on it.

[Test Case]

 * Set up Active Directory (not tested with Samba AD)
 * Have user passwords to expire after a certain time
 * Wait until they would be alerted for this, note crash on login

[Regression Potential]

 * It is has been upstream for a while now and has been tested by several users. It is also already fixing in Ubuntu Raring+
 * There might be a better way to handle the null pointer?

Colin Watson (cjwatson) on 2012-05-23
affects: launchpad → lightdm (Ubuntu)

Seems to be a problem only with active directory users (so related to the usage of pam_winbind.so).

I tried this on a new installed machine:

created a user newuser

chage -M 5 newuser (set expiring password to 5 days)

lightdm logs in showing a warning for the expiring password (disappears very quickly because lightdm closes)

I'll try this also on my client machine (in few days) and i'll test also with another expiring Active Directory user.

Another crash file. I'm installing now more debug symbols (there are some symbol table missing)

summary: - lightdm crashed with SIGSEGV when password is expiring
+ lightdm crashed with SIGSEGV in pam_sm_authenticate() when password is
+ expiring
summary: - lightdm crashed with SIGSEGV in pam_sm_authenticate() when password is
- expiring
+ lightdm crashed with SIGSEGV in _pam_winbind_change_pwd() when password
+ is expiring
security vulnerability: no → yes
visibility: public → private

This is the unpacked crash file with latest ddebs. I removed my plain password both in file and in crash dump (it has been replaced with **********)

Tyler Hicks (tyhicks) wrote :

Hi Luca - Any specific reason that you marked this as private? It severely limits the number of people that can view the bug report. If you are ok with the crash files being public, please mark the bug as public so that more eyes can see this bug. Thanks!

On Sat, Jun 2, 2012 at 1:14 AM, Tyler Hicks <email address hidden> wrote:
> Hi Luca - Any specific reason that you marked this as private? It
> severely limits the number of people that can view the bug report. If
> you are ok with the crash files being public, please mark the bug as
> public so that more eyes can see this bug. Thanks!

It has been marked as private by Luca Falavigna, maybe because i said
him there was my password in the crash file. But i edited the crash
informations to remove my password (replaced with stars).

FYI i can still reproduce this bug for at most one week (my password
will expire completely in no more than 7 days), then you've to wait
another month :-(

So if you want me to install some other debug things and reproduce
the bug, i'm here this week to help you.

You can find me in #ubuntu-it-dev on freenode with the nick name
"remix_tj" if you want to ask things to me directly.

--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <email address hidden>

On Sat, Jun 2, 2012 at 12:14 PM, Luca 'remix_tj' Lorenzetto
<email address hidden> wrote:
[cut]
> FYI i can still reproduce this bug for at most one week (my password
> will expire completely in no more than 7 days), then you've to wait
> another month :-(

Today is completely expired the password.

I tried to login, lightdm said me that the password is expired and
allowed me to login, but did not crash.

So the problem is related to the expiring status of the password.

--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
<email address hidden>

Another user reported me that he had the same problem.

The user is <email address hidden>

Jamie Strandboge (jdstrand) wrote :

Based on user's feedback, marking this public again. Also, this seems to be a regular bug.

security vulnerability: yes → no
visibility: private → public

Today the bug is back, my password is now returned in the "expiring" period

Same problem on a fresh install on a samsung nc10 notebook, precise 32bit. Now i'll test on 64bits

the problem seems to be related only to pam_winbind not directly to lightdm. Also gdm does not allows the login. I attached a grep of syslog file kept after inserting username and password on gdm. Gdm hangs showing me "your password will expire in 12 days".

Sebastien Bacher (seb128) wrote :

Thank you for your comment, do you think you could get a stacktrace of the lightdm issue with libpam-winbind-dbgsym (http://ddebs.ubuntu.com/pool/main/s/samba/) installed?

affects: lightdm (Ubuntu) → samba (Ubuntu)
Changed in samba (Ubuntu):
importance: Undecided → High
Changed in samba (Ubuntu Precise):
importance: Undecided → High
Sebastien Bacher (seb128) wrote :

reassigning to samba since the issue seems in libpam-winbind

I've already installed dmbsym for libpam-winbind (2:3.6.3-2ubuntu2.3) do you need another crash file?

the problem is affecting also ubuntu 64bit

Another detail I noticed is that if i log in from tty i get the message

"erroneous conversation (5)" after the message of expired password.

I report also that i found the problem also with debian stable.

I tested also on fedora, the problem is related to samba main distribution.

Ubuntu 10.04 with winbind 3.4.7 is not affected by this bug

I reported also bug on the samba-bugzilla

https://bugzilla.samba.org/show_bug.cgi?id=9013

The problem is back. Nothing is changed in this month

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu Precise):
status: New → Confirmed
Changed in samba (Ubuntu):
status: New → Confirmed
Johan Ramm-Ericson (johanre) wrote :

I can confimr that this bug also affects me. Is there any information I can provide to help unearth the cause?

Johan,

what version of windows server is installed on your domain controllers?

Johan Ramm-Ericson (johanre) wrote :

Sorry about the delayed response, took a while to get hold of the info: our domain controllers are Win 2008 R2

Same here... maybe is a problem of integration between windows 2008 R2 and samba?

Johan Ramm-Ericson (johanre) wrote :

Actually, this is not the first time we see a similar issue. We ran into it with 10.04 / Lucid + samba + gdm and this was before our domain controllers were 2008 R2. I can't quite remeber what fixed it then (I'm still digging through old emails) but I have a vague memory of it being fixed by a samba / winbind patch.

I wrote and tested a patch that fixes the bug. Reading the source code i found that this:

 _pam_log(ctx, LOG_CRIT, "Received [%s] reply from application.\n", resp->resp);

So i searched on the auth.log logfile for this log entry and found:

pam_winbind(lightdm:auth): Received [(null)] reply from application

Then i found on a the crashfile stackthread:

#0 __strcasecmp_l_ssse3 () at ../sysdeps/i386/i686/multiarch/strcmp-ssse3.S:293
 No locals.
 #1 0xb7221398 in _pam_winbind_change_pwd (ctx=<optimized out>) at ../nsswitch/pam_winbind.c:834
         msg = {msg_style = 5, msg = 0xb7228f90 "Do you want to change your password now?"}
         pmsg = 0xbfc39810
         resp = 0x85831a8
         prompt = <optimized out>
         ret = <optimized out>
         retval = false

So the problem is on the call of strcasecmp with null as first parameter.

Attached the patch that fixes the issue.

I tested against the latest sources for precise that can be downloaded with:

apt-get source samba

The attachment "Fixes bug adding a check for a null value before calling strcasecmp" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch

https://bugzilla.samba.org/show_bug.cgi?id=9013#c8

patch has been accepted on master source of samba

Johan Ramm-Ericson (johanre) wrote :

Excellent work, Luca! Will test your patch as soon as I can.

Does my patch has been tested? This patch is already in samba 3.6.9 but is not in ubuntu package that i have to fix manually.

Johan Ramm-Ericson (johanre) wrote :

Sorry, Luca, yes - we have tested your patch and it worked fine for one user! We are just waiting for other user accounts to expire...

Bryan Quigley (bryanquigley) wrote :

Has this been confirmed to be fixed via this patch with other user accounts at this point? If so, we should start the SRU process..

On 26 June 2013 20:30, Bryan Quigley <email address hidden> wrote:

> Has this been confirmed to be fixed via this patch with other user
> accounts at this point? If so, we should start the SRU process..

Yes, it works for all user accounts.

AFAIK is already merged in samba main tree:

ftp://ftp.samba.org/pub/unpacked/samba_3_current/WHATSNEW.txt (for 3.5.x)

http://www.samba.org/samba/history/samba-3.6.9.html (for 3.6.x)

So newer ubuntu versions like raring does already include this patch.

On Wed, Jun 26, 2013 at 8:30 PM, Bryan Quigley <email address hidden> wrote:
> Has this been confirmed to be fixed via this patch with other user
> accounts at this point? If so, we should start the SRU process..
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1003296
>
> Title:
> lightdm crashed with SIGSEGV in _pam_winbind_change_pwd() when
> password is expiring
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1003296/+subscriptions

--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <email address hidden>

description: updated
Changed in samba (Ubuntu):
assignee: nobody → Bryan Quigley (bryanquigley)
Bryan Quigley (bryanquigley) wrote :
Bryan Quigley (bryanquigley) wrote :
Iain Lane (laney) on 2013-07-22
Changed in samba (Ubuntu):
status: Confirmed → Fix Released
Iain Lane (laney) on 2013-07-22
Changed in samba (Ubuntu Precise):
status: Confirmed → In Progress
Changed in samba (Ubuntu Quantal):
status: New → In Progress
Iain Lane (laney) wrote :

Uploaded, thank you

Jamie Strandboge (jdstrand) wrote :

Since these are uploaded, unsubscribing ubuntu-sponsors.

Hello Luca, or anyone else affected,

Accepted samba into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/samba/2:3.6.6-3ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in samba (Ubuntu Precise):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Luca, or anyone else affected,

Accepted samba into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/samba/2:3.6.3-2ubuntu2.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Marc Deslauriers (mdeslaur) wrote :

Can someone please verify the samba packages in precise-proposed and quantal-proposed please?
A samba security update is pending, and these packages will be superseded if they don't get tested soon.

On Mon, Aug 19, 2013 at 3:55 PM, Marc Deslauriers
<email address hidden> wrote:
> Can someone please verify the samba packages in precise-proposed and quantal-proposed please?
> A samba security update is pending, and these packages will be superseded if they don't get tested soon.

Sorry, i cannot test these packages since i've no accounts in
expiration for the next 30 days. But looking at the diff from the
previous version i see that modifications are exactly like the package
i built by myself to avoid this bug and used for months.

So for me is ok.

--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <email address hidden>

tags: added: verification-done
removed: verification-needed
Brian Murray (brian-murray) wrote :

Luca - that don't doesn't really qualify as verification of the bug as detailed on the SRU wiki page.

tags: added: verification-needed
removed: verification-done
Johan Ramm-Ericson (johanre) wrote :

I'm not either on an account that is close to expiration, will talk to colleagues next week and see if someones account is close to expiring (I'm on vacation right now).

Bryan Quigley (bryanquigley) wrote :

I understand that this is relatively difficult to reproduce. Is anyone in a better position to test it now?

Johan Ramm-Ericson (johanre) wrote :

My apologies; in the rush of things to do, I'd forgotten about this.
Yes, my account is actually currently in the expiration cycle. I will
test in a few hours time and report back.

Johan Ramm-Ericson (johanre) wrote :

Ran into dependancy issues. There was a conflict between the existing samba-common (2:3.6.3-2ubuntu2.6) package and the samba-common-bin (2:3.6.3-2ubuntu2.7) package that has blocked me from further work - I can't login anymore. WIll try to do further tests tomorrow when I'm back in the office (given that I can recover my system).

Bryan Quigley (bryanquigley) wrote :

Both samba-common and -bin should have been upgrades to ...ubuntu2.7. Let me know the details of the conflict when you can.

Thanks again for testing. Sorry it's not going well.

Very strange, i installed it without problems with a simple:

 apt-get upgrade winbind libpam-winbind samba

lorenzettoluca@tv52605:~$ dpkg -l samba samba-common winbind
libpam-winbind | grep ubuntu | cut -f 2 -d ":" | cut -f 1 -d " "
3.6.3-2ubuntu2.7
3.6.3-2ubuntu2.7
3.6.3-2ubuntu2.7
3.6.3-2ubuntu2.7

On Mon, Sep 9, 2013 at 9:49 PM, Johan Ramm-Ericson
<email address hidden> wrote:
> Ran into dependancy issues. There was a conflict between the existing
> samba-common (2:3.6.3-2ubuntu2.6) package and the samba-common-bin
> (2:3.6.3-2ubuntu2.7) package that has blocked me from further work - I
> can't login anymore. WIll try to do further tests tomorrow when I'm back
> in the office (given that I can recover my system).
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1003296
>
> Title:
> lightdm crashed with SIGSEGV in _pam_winbind_change_pwd() when
> password is expiring
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1003296/+subscriptions

--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <email address hidden>

Bryan Quigley (bryanquigley) wrote :

Confirmed by customer to be fixed on Ubuntu 12.04. I'm not sure we have anyone affected using 12.10 though, anybody?

tags: added: verification-done-precise verification-needed-quantal
removed: verification-needed

On Mon, Sep 16, 2013 at 10:11 PM, Bryan Quigley <email address hidden> wrote:
> Confirmed by customer to be fixed on Ubuntu 12.04. I'm not sure we have
> anyone affected using 12.10 though, anybody?

I Don't remember but AFAIR the bug was in all recent versions

--
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <email address hidden>

Bryan Quigley (bryanquigley) wrote :

@Luca,

Sorry for not being clearer. Quantal is definitely affected, hence the debdiff. However, I'm not sure we still have anyone actually using 12.10 on an Domain at this point; so I'm not sure if there will be any testers.

Right. Since in few months support will be dropped i'll leave there the
patch
Il giorno 17/set/2013 15:11, "Bryan Quigley" <email address hidden> ha scritto:

> @Luca,
>
> Sorry for not being clearer. Quantal is definitely affected, hence the
> debdiff. However, I'm not sure we still have anyone actually using
> 12.10 on an Domain at this point; so I'm not sure if there will be any
> testers.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1003296
>
> Title:
> lightdm crashed with SIGSEGV in _pam_winbind_change_pwd() when
> password is expiring
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1003296/+subscriptions
>

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.6.3-2ubuntu2.7

---------------
samba (2:3.6.3-2ubuntu2.7) precise-proposed; urgency=low

  * Fix login with expiring user passwords (LP: #1003296)
    - Fixed in Samba 3.6.9 (Samba bug: 9013)
 -- Bryan Quigley <email address hidden> Wed, 10 Jul 2013 12:25:17 -0400

Changed in samba (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in samba (Ubuntu Quantal):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.