Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261512 (CVE-2009-0887) - <sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (CVE-2009-0887)
Summary: <sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (...
Status: RESOLVED FIXED
Alias: CVE-2009-0887
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: B3 [glsa]
Keywords:
Depends on: CVE-2009-0579
Blocks:
  Show dependency tree
 
Reported: 2009-03-07 00:25 UTC by Robert Buchholz (RETIRED)
Modified: 2009-09-07 00:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:25:16 UTC 
On Thursday 05 March 2009, Jan Lieskovsky wrote:
  Marcus Granado recently reported a security issue in 
libpam related to parsing of non-ascii usernames in
the Pam configuration files. Attaching his report for
more details.

Affected version: pam <= 1.0.3

Link to SCM repo: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?view=log
Patch: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?r1=1.9&amp;r2=1.10&amp;view=patch


Could you please allocate a new CVE id for it?
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-03-07 00:29:08 UTC 
ebuild? If this is <= 1.0.3 (and it seems to be from the CVS logs), this is getting stabled together with bug #261108.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:47:54 UTC 
correct, the patch is applied in 1.0.3 -- my fault.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-12 21:06:08 UTC 
CVE-2009-0887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0887):
  Integer signedness error in the _pam_StrTok function in
  libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
  configuration file contains non-ASCII usernames, might allow remote
  attackers to cause a denial of service, and might allow remote
  authenticated users to obtain login access with a different user's
  non-ASCII username, via a login attempt.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 13:00:09 UTC 
i vote YES
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:01:55 UTC 
YES, too. Request filed.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-07 00:59:27 UTC 
GLSA 200909-01