Peter van Dijk (peter@ATTIC.VUURWERK.NL)
Mon, 2 Feb 1998 00:08:17 +0100 

       Messages sorted by: [ date ][ thread ][ subject ][ author ] 
       Next message: Peter van Dijk: "Re: imapd/ipop3d coredump in slackware 3.4" 
       Previous message: RHS Linux User: "Bug in IMail's pop3d32.exe" 
       Next in thread: Peter van Dijk: "Re: imapd/ipop3d coredump in slackware 3.4" 

[attic bug report nr. 1]

While fooling around a little with NIS/YP (didn't get it completely
working...) I ran into a bug in the imapd and ipop3d that come with
slackware 3.4 (if you install the pine package).
Earlier slackware versions will problably NOT suffer from this bug,
because they did not include shadowing.

When fed an unknown username, imapd and ipop3d will dump core:

[root@koek] /# telnet zopie 110
Connected to
Escape character is '^]'.
+OK POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Sun, 1 Feb 1998 23:45:06 +0100 (CET)
user root
+OK User name accepted, password please
pass linux
[this is not the correct password]
-ERR Bad login
user john
[i have no user named john]
+OK User name accepted, password please
pass doe
Connection closed by foreign host.

At this point ipop3d coredumps in /core:

[root@zopie] /# strings core | grep -A3 root
[crypted pw here]

Sun Feb  1 23:45:15 1998
root:[crypted pw here]:10244:0:::::
[looks like my /etc/shadow ;(]
root:[crypted pw here]:10244:0:::::

[I removed the pw because it's my own ;)]

Same goes for imapd:
Connected to
* OK IMAP2bis Service 7.8(100) at Sun, 1 Feb 1998 23:53:00 +0100 (CET)
A001 LOGIN root linux
A001 NO Bad LOGIN user name and/or password
A002 LOGIN john doe
Connection closed by foreign host.

Doing the strings/grep again gives about the same result.

Running this under strace shows that the program reads /etc/passwd and
closes it again, then reopens it (to try the username in lowercase) and
reads again, followed by a SIGSEGV.

The bug is in (one of) the patches and diffs that are applied to
support shadowing in Linux. The problem is in log_lnx.c.diff.gz:
-  if (!(pw && pw->pw_uid)) return NIL;
+/*  if (!(pw && pw->pw_uid)) return NIL; */

I have no idea why this check is removed (the programs continue to keep
working with this check enabled), but it breaks the whole thing.
A couple more patches are applied, after which 'build lnx' is executed.
Apparently Patrick Volkerding (maintainer of SlackWare, real cool guy I
think) didn't realize that 'build slx' does about the same, only safe...

Note that the dumped core is mode 600, _unless_ /core already exists, in
which case it's permissions are retained.

Greetz, Peter.

P.S. Does anybody know where a process like ipop3d leaves it's coredumps
_after_ the user has logged in, so that it's running under the users' id?