profile
viewpoint

stoeckmann/xwallpaper 137

wallpaper setting utility for X

stoeckmann/signify-windows 6

OpenBSD signify for Windows systems

stoeckmann/ddthin 0

help migrating thin volumes and their snapshots

stoeckmann/iniparser 0

ini file parser

stoeckmann/less 0

Less - text pager

stoeckmann/OpenDoas 0

A portable fork of the OpenBSD `doas` command

stoeckmann/openssh-portable 0

Portable OpenSSH

stoeckmann/phc-winner-argon2 0

The password hash Argon2, winner of PHC

stoeckmann/shadow 0

Upstream shadow tree

stoeckmann/Sublist3r 0

Fast subdomains enumeration tool for penetration testers

PR opened stoeckmann/OpenDoas

Fixed parser issues
+22 -17

0 comment

3 changed files

pr created time in 2 days

create barnchstoeckmann/OpenDoas

branch : parser

created branch time in 2 days

PR opened Duncaen/OpenDoas

fixed typos in comments

No functional change. These files are not part of OpenBSD's doas. Used codespell as typo scanner.

+2 -2

0 comment

2 changed files

pr created time in 2 days

create barnchstoeckmann/OpenDoas

branch : typos

created branch time in 2 days

fork stoeckmann/OpenDoas

A portable fork of the OpenBSD `doas` command

fork in 2 days

PR opened shadow-maint/shadow

Improve child error handling

Always set SIGCHLD handler to default, even if the caller of vipw has set SIGCHLD to ignore. If SIGCHLD is ignored no zombie processes would be created, which in turn could mean that kill is called with an already recycled pid.

Proof of Concept:

  1. Compile nochld: -- #include <signal.h> #include <unistd.h> int main(void) { char *argv[] = { "vipw", NULL }; signal(SIGCHLD, SIG_IGN); execvp("vipw", argv); return 1; } --
  2. Run nochld
  3. Suspend child vi, which suspends vipw too: kill -STOP childpid
  4. Kill vi: kill -9 childpid
  5. You can see with ps that childpid is no zombie but disappeared
  6. Bring vipw back into foreground fg

The kill call sends SIGCONT to "childpid" which in turn could have been already recycled for another process.

This is definitely not a vulnerability. It would take super user operations, at which point an attacker would have already elevated permissions.

Signed-off-by: Tobias Stoeckmann tobias@stoeckmann.org

+3 -0

0 comment

1 changed file

pr created time in 16 days

create barnchstoeckmann/shadow

branch : vipw

created branch time in 16 days

PR opened util-linux/util-linux

vipw: improve child error handling

Always set SIGCHLD handler to default, even if the caller of vipw has set SIGCHLD to ignore. If SIGCHLD is ignored no zombie processes would be created, which in turn could mean that kill is called with an already recycled pid.

Also improved error message if child process fails.

Proof of Concept:

  1. Compile nochld: -- #include <signal.h> #include <unistd.h> int main(void) { char *argv[] = { "vipw", NULL }; signal(SIGCHLD, SIG_IGN); execvp("vipw", argv); return 1; } --
  2. Run nochld
  3. Suspend child vi, which suspends vipw too: kill -STOP childpid
  4. Kill vi: kill -9 childpid
  5. You can see with ps that childpid is no zombie but disappeared
  6. Bring vipw back into foreground fg
  7. See misleading warning message

You will get an improperly formatted warning message. Also the wake up kill call sent SIGCONT to "childpid" which could have been assigned to another process already.

This is definitely not a vulnerability. It would take super user operations, at which point an attacker would have already elevated permissions.

Signed-off-by: Tobias Stoeckmann tobias@stoeckmann.org

+10 -3

0 comment

1 changed file

pr created time in 16 days

create barnchstoeckmann/util-linux

branch : vipw

created branch time in 16 days

push eventstoeckmann/util-linux

Rafael Fontenelle

commit sha c83a52f03f3e9796a2454e6adb48c82cd70806d5

docs: Uniformize references to section titles Wrap section title references with asterisks, and prioritize 'see the *TITLE* section' over 'see section TITLE'.

view details

Vojtěch Eichler

commit sha 1f2a2925be220d1ab090a82f3fe5e9c227418a5f

tests: split cal/color test into subtests

view details

Vojtěch Eichler

commit sha b47dbe6156696ee6e6da10f48841a7d88c444e7f

tests: split cal/colorw test into subtests

view details

Vojtěch Eichler

commit sha 298a9eaf659bdddff7145e9f800b3a0b712fc0a2

tests: split test into subtest

view details

Karel Zak

commit sha ee4c324982cbc73b9f50f5c689f8238a97014cb9

hardlink: improve verbose messages Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Vojtěch Eichler

commit sha d4daa330b0baca5e7e55fc3d0b1dd993c12c68b0

tests: split several tests into subtests

view details

Vojtěch Eichler

commit sha b75bc0e78f1d2a9e76b900de8ca17f176483cafb

tests: split additional tests into subtests

view details

Érico Nogueira

commit sha 34a9b65587a7d704db0344e859511af4a6756c89

vipw: flush stdout before getting answer. Otherwise the question is displayed only after the user presses Return, and the program looks like it's hanging. This happens at least on musl libc. Reported by @loreb. Signed-off-by: Érico Nogueira <erico.erc@gmail.com>

view details

Karel Zak

commit sha 421a482ac2b7fbd916a3655ae3da2af4a018a91c

Merge branch 'uniformize-title-markups' of https://github.com/rffontenelle/util-linux * 'uniformize-title-markups' of https://github.com/rffontenelle/util-linux: docs: Uniformize references to section titles

view details

Ludwig Nussel

commit sha 1cf6e936e308166fffdc2d703c4ade2e8cbe5e51

agetty: use getttynam() if available /etc/ttys seems to be a rather archaic concept that is not meant to exist on Linux. Nevertheless it does. glibc has getttynam() which correctly parses /etc/ttys. So let's give it a try before falling back to the built in defaults. One can set the terminal type for a specific tty using e.g.: echo 'ttyS0 "" xterm' > /etc/ttys [kzak@redhat.com: - improve configure.ac part - log error on failed strdup()] Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Karel Zak

commit sha 72f8a8d42f8ee29f76428ddc804df7c08fefe024

Merge branch 'flush' of https://github.com/ericonr/util-linux * 'flush' of https://github.com/ericonr/util-linux: vipw: flush stdout before getting answer.

view details

Karel Zak

commit sha a4bb8b3543c442ea1650899e58903b96a4751026

docs: add hint for non-public reports Fixes: https://github.com/karelzak/util-linux/issues/1482 Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Karel Zak

commit sha 10f5f79485964ab52272ebe79c3b0047b1f84d82

libbuid: use _UL_LIBUUID_UUID_H to cover uuid.h It seems _UUID_UUID_H is too generic. Addresses: https://github.com/karelzak/util-linux/issues/1432 Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Karel Zak

commit sha 3854515ca11ffc68c6bbdd4e5673c7f7521f3043

build-sys: (hardlink) check for llistxattr and lgetxattr It seems check for sys/xattr.h is not enough. The header file exists on MacOS, but without these functions. Addresses: https://github.com/karelzak/util-linux/issues/1432 Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Karel Zak

commit sha dc6a38ed286c6f311fa5c3af93b3033ce9e14b96

build-sys: include xlocale.h for locale_t on MacOS Addresses: https://github.com/karelzak/util-linux/issues/1432 Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Karel Zak

commit sha 94c8821bc8a5c37d5c17f80e76265f0eebd69664

build-sys: disable libmount when missing mntent.h Addresses: https://github.com/karelzak/util-linux/issues/1432 Signed-off-by: Karel Zak <kzak@redhat.com>

view details

Karel Zak

commit sha e40bce636305bb06a02810784701afd4f52b3dc0

Merge branch 'refactor-tests' of https://github.com/Ajchler/util-linux * 'refactor-tests' of https://github.com/Ajchler/util-linux: tests: split additional tests into subtests tests: split several tests into subtests tests: split test into subtest tests: split cal/colorw test into subtests tests: split cal/color test into subtests

view details

Lorenzo Beretta

commit sha 05907d0d9e7c85f33e168feab1eb36b464425054

chfn: flush stdout before reading stdin and fix uninitialized variable Same problem as described in https://github.com/karelzak/util-linux/pull/1481 Signed-off-by: Lorenzo Beretta <vc.net.loreb@gmail.com>

view details

Lorenzo Beretta

commit sha 0a08200bd5664d1849e477f7f776ab4d13bb8422

chsh: fflush stdout before reading from stdin Same problem as described in https://github.com/karelzak/util-linux/pull/1481 Signed-off-by: Lorenzo Beretta <vc.net.loreb@gmail.com>

view details

Karel Zak

commit sha ee2d371c615f5f8617fb67fad8c61f062c41da89

include/fileeq: add functions to compare files content Signed-off-by: Karel Zak <kzak@redhat.com>

view details

push time in 16 days

push eventstoeckmann/shadow

Tobias Stoeckmann

commit sha 63a96706b1205f91c4a57de21ac56e996d270ff1

Handle malformed lines in hushlogins file. If a line in hushlogins file, e.g. /etc/hushlogins, starts with '\0', then current code performs an out of boundary write. If the line lacks a newline at the end, then another character is overridden. With strcspn both cases are solved. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

view details

push time in a month

push eventstoeckmann/shadow

Tobias Stoeckmann

commit sha aabfb3d9d744223389b3d22bd8b773c6face78cf

Handle malformed lines in hushlogins file. If a line in hushlogins file, e.g. /etc/hushlogins, starts with '\0', then current code performs an out of boundary write. If the line lacks a newline at the end, then another character is overriden. With strcspn both cases are solved. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

view details

push time in a month

PR opened shadow-maint/shadow

Handle malformed lines in hushedlogins file.

If a line in hushedlogins file, e.g. /etc/hushedlogins, starts with '\0', then current code performs an out of boundary write. If the line lacks a newline at the end, then another character is overriden.

With strcspn both cases are solved.

Signed-off-by: Tobias Stoeckmann tobias@stoeckmann.org

+1 -1

0 comment

1 changed file

pr created time in a month

create barnchstoeckmann/shadow

branch : hushed

created branch time in a month

create barnchstoeckmann/util-linux

branch : chld

created branch time in a month

create barnchstoeckmann/shadow

branch : chld

created branch time in a month

pull request commentshadow-maint/shadow

su: Fix never alarmed SIGKILL when session terminates

Thank you for your explanations @lrh2000. Even after giving it a second thought I conclude yet again that your solution is better and also correct. Therefore ignore my comments above.

lrh2000

comment created time in a month

pull request commentshadow-maint/shadow

su: Fix never alarmed SIGKILL when session terminates

Thank you for further explaining your changes @lrh2000. Considering your explanation and the fact that the process with this restricted signal mask calls exit at the end of the function, I prefer your changes. Especially since the signal calls only occur within the else-block.

lrh2000

comment created time in a month

PR opened openssh/openssh-portable

Improve sshbuf defensive measures
  • Keep track of reference count even if parent is set multiple times
  • Gracefully handle failed re-allocation in sshbuf_reset

Shoutout to @c3h2_ctf

+5 -2

0 comment

1 changed file

pr created time in a month

create barnchstoeckmann/openssh-portable

branch : sshbuf

created branch time in a month

PR opened openssh/openssh-portable

Adjust error code paths.
  • Always clear password in RAM, even in error path
  • Do not call kill with -1 argument by mistake

Shoutout to @c3h2_ctf

+7 -4

0 comment

2 changed files

pr created time in a month

create barnchstoeckmann/openssh-portable

branch : errorpath

created branch time in a month

Pull request review commentopenssh/openssh-portable

Only free allocated memory on UnixWare

 allowed_user(struct ssh *ssh, struct passwd * pw) 			locked = 1; #endif #ifdef USE_LIBIAF-		free((void *) passwd);+		if (spw != NULL)+			free((void *) passwd);

Looks definitely much better and removes this nested portability handling out of auth.c. Definitely agreeing on that proposal.

stoeckmann

comment created time in a month

PullRequestReviewEvent

pull request commentshadow-maint/shadow

su: Fix never alarmed SIGKILL when session terminates

See https://github.com/stoeckmann/shadow/commit/f6fc0aab962320d50e1783237240e4be5290d68c for my suggestion.

lrh2000

comment created time in a month

create barnchstoeckmann/shadow

branch : su

created branch time in a month

fork stoeckmann/shadow

Upstream shadow tree

fork in a month

Pull request review commentshadow-maint/shadow

su: Fix never alarmed SIGKILL when session terminates

 static void prepare_pam_close_session (void) 		snprintf (kill_msg, sizeof kill_msg, _(" ...killed.\n")); 		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n")); -		(void) signal (SIGALRM, kill_child);-		(void) signal (SIGCHLD, catch_signals);-		(void) alarm (2);--		sigemptyset (&ourset);-		if ((sigaddset (&ourset, SIGALRM) != 0)-		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {+		sigfillset (&ourset);+		if (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0) { 			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); 			kill_child (0); 		} else {+			/* Send SIGKILL to the child if it doesn't+			 * exit within 2 seconds (after SIGTERM) */+			(void) signal (SIGALRM, kill_child);+			(void) signal (SIGCHLD, catch_signals);+			(void) alarm (2);++			(void) sigdelset (&ourset, SIGALRM);+			(void) sigdelset (&ourset, SIGCHLD);+ 			while (0 == waitpid (pid_child, &status, WNOHANG)) { 				sigsuspend (&ourset);

To sum up my comments, sigsuspend is the only offending line. If it unblocks SIGALRM, which it definitely should do, then the change is rather minimal and has no further negative side-effects.

lrh2000

comment created time in a month

Pull request review commentshadow-maint/shadow

su: Fix never alarmed SIGKILL when session terminates

 static void prepare_pam_close_session (void) 		snprintf (kill_msg, sizeof kill_msg, _(" ...killed.\n")); 		snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n")); -		(void) signal (SIGALRM, kill_child);-		(void) signal (SIGCHLD, catch_signals);-		(void) alarm (2);--		sigemptyset (&ourset);-		if ((sigaddset (&ourset, SIGALRM) != 0)-		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {+		sigfillset (&ourset);+		if (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0) { 			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); 			kill_child (0); 		} else {+			/* Send SIGKILL to the child if it doesn't+			 * exit within 2 seconds (after SIGTERM) */+			(void) signal (SIGALRM, kill_child);+			(void) signal (SIGCHLD, catch_signals);+			(void) alarm (2);++			(void) sigdelset (&ourset, SIGALRM);+			(void) sigdelset (&ourset, SIGCHLD);+ 			while (0 == waitpid (pid_child, &status, WNOHANG)) { 				sigsuspend (&ourset);

Only SIGALRM and SIGCHLD are processed due to the modified "ourset" signal mask. We should still accept all signals here.

lrh2000

comment created time in a month

more