Ubuntu
vsftpd package

  1. Bug #1574911
  2. Comment #9

Comment 9 for bug 1574911

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04

pure-ftpd sorted this out by reimplementing make_scrambled_password() if it's not exported:

https://github.com/jedisct1/pure-ftpd/commit/2db6b50c7b7c638104bd9639994f0574e8f4813c

I don't know when make_scrambled_password() stopped being exported in libmysqlclient, but libmysqlclient's my_make_scrambled_password() is NOT a replacement for it. The right replacement for it is my_make_scrambled_password_sha1(), and currently make_scrambled_password() is a wrapper around my_make_scrambled_password_sha1(), but neither are exported in libmysqlclient:
/*
  Wrapper around my_make_scrambled_password() to maintain client lib ABI
  compatibility.
  In server code usage of my_make_scrambled_password() is preferred to
  avoid strlen().
  SYNOPSIS
    make_scrambled_password()
    buf OUT buffer of size 2*SHA1_HASH_SIZE + 2 to store hex string
    password IN NULL-terminated password string
*/

void make_scrambled_password(char *to, const char *password)
{
  my_make_scrambled_password_sha1(to, password, strlen(password));
}

So pam_mysql should probably reimplement my_make_scrambled_password_sha1() in order to support passwords hashed with the server PASSWORD() function (the crypt=2 option in pam_mysql).