The pam_verror may cause segmentation fault. Consider the following scenario: 1. A service module (for instance, pam_unix) calls PAM_VERBOSE_ERROR. That macro expands to _pam_verbose_error call. 2. _pam_verbose_error calls pam_verror if the PAM_SILENT flag is not set on the PAM handle and no_warn option is not set for the service module. 3. pam_verror allocates 'char *rsp' on stack w/o initializing it to NULL, (a dangling pointer), and makes pam_vprompt(pamh, PAM_ERROR_MSG, &rsp, fmt, ap) call. 4. Now if the the PAM conversation is NULL, pam_vprompt soon returns w/ PAM_SYSTEM_ERR and __does not__ set *rsp. 5. pam_verror then does FREE(rsp) and if rsp happens to be anything other than NULL, a segmentation fault happens.
The very same bug exists in pam_vinfo.