[Bug 1698758] Re: Encrypted password causes segmentation fault

Andreas Hasenack andreas at canonical.com
Thu Jun 22 14:16:00 UTC 2017 

Ok, got a better hang of it. crypt(3) can indeed be used like that, but the code needs to check for it returning NULL in the case of errors:
diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
index 0a16e05..4f80917 100644
--- a/mod_auth_pgsql.c
+++ b/mod_auth_pgsql.c
@@ -868,6 +868,12 @@ static authn_status check_password(request_rec *r, const char *user,
                        break;
                case AUTH_PG_HASH_TYPE_CRYPT:
                        sent_pw = (char *) crypt(sent_pw, real_pw);
+                       if (!sent_pw) {
+                               apr_snprintf(pg_errstr, MAX_STRING_LEN,
+                                                "PG user %s: password mismatch", user);
+                               ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+                               return AUTH_DENIED;
+                       }
                        break;
                case AUTH_PG_HASH_TYPE_BASE64:
                        sent_pw = auth_pg_base64(sent_pw);


What happened is that the hash format you used, "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=", is not the type of input crypt(3) expects for the salt argument, hence the NULL return value (and the crash since that wasn't checked for).

The salt argument (the second argument) should either be:
- 2 characters for standard DES from the range [a-zA-Z0-9./]. Note how "{" or "}" are not there
- $id$salt$encrypted, where id means:
              ID  | Method
              ─────────────────────────────────────────────────────────
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                  | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)

So the above patch fixes the crash, but you should use a different type
of hash format. {SHA} is not supported. It is supported by apache's
apr_password_validate(), but that is not used in this code.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1698758/+subscriptions

More information about the Ubuntu-server-bugs mailing list