Bug 120842 - sys-auth/pam_mysql-0.6.2 Denial of Service
Bug#: 120842 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: sander@knopper.tk
Component: Vulnerabilities
URL:  http://pam-mysql.sourceforge.net/News/
Summary: sys-auth/pam_mysql-0.6.2 Denial of Service
Keywords:  
Status Whiteboard: B2? [glsa] DerCorny
Opened: 2006-01-29 11:03 0000
Description:   Opened: 2006-01-29 11:03 0000 
I'd appreciate it if someone put the latest stable release from upstream in
portage. At the time of writing this is 0.6.2, though work seems to be going on
for 0.7.

Thanks in advance!

------- Comment #1 From Cyrius 2006-02-18 03:11:47 0000 ------- 
Created an attachment (id=80075) [details]
Ebuild proposal for the 0.6.2 pam_mysql

------- Comment #2 From Cyrius 2006-02-18 03:12:21 0000 ------- 
(From update of attachment 80075 [details])
Pleasure to help

------- Comment #3 From Cyrius 2006-02-18 03:20:30 0000 ------- 
Created an attachment (id=80076) [details]
Ebuild proposal for the 0.6.2 pam_mysql

Header line corrected to respect the ebuild documentation
Pleasure to help

------- Comment #4 From Cyrius 2006-02-18 03:32:17 0000 ------- 
Created an attachment (id=80078) [details]
Ebuild proposal for the 0.7RC1 pam_mysql

Pleasure to help

------- Comment #5 From Cyrius 2006-02-18 10:12:12 0000 ------- 
I had a look on the sasl2 and openssl options.
Ok, it won't work in this state. 
The configure file search about some directories which don't exist.
I don't understand why. So if someone could help ...

------- Comment #6 From Cyrius 2006-02-19 09:25:07 0000 ------- 
Created an attachment (id=80193) [details]
0.6.2 and 0.7_rc1 versions corrected

Hi guys,

   I hope to have corrected thoses version to take in account sasl2 and
openssl.
   In fact this module was done on the Debian distrib and never found the
necessary includes and c functions to correctly link with ssl or sasl.
   So, i hope to have corectly modified the necessary files.


   Would it be possible that someone test it please ?

Cyrius

------- Comment #7 From Cyrius 2006-02-19 10:00:09 0000 ------- 
(From update of attachment 80193 [details])
see bug 123405

------- Comment #8 From Diego E. 'Flameeyes' Pettenò 2006-04-21 08:50:18 0000 ------- 
*** Bug 85787 has been marked as a duplicate of this bug. ***

------- Comment #9 From Diego E. 'Flameeyes' Pettenò 2006-04-21 08:57:42 0000 ------- 
*** Bug 104967 has been marked as a duplicate of this bug. ***

------- Comment #10 From Diego E. 'Flameeyes' Pettenò 2006-04-21 09:02:11 0000 ------- 
*** Bug 123405 has been marked as a duplicate of this bug. ***

------- Comment #11 From W-Mark Kubacki 2006-04-26 05:58:18 0000 ------- 
Created an attachment (id=85531) [details]
pam_mysql-0.6.0-to-0.6.2.patch

I'd like to contribute this patch against pam_mysql-0.6.0.ebuild.

It not only is a version bump but provides a workaround against the configure
bug which prevents headers for MD5 to be found. MD5-support (crypt=3) works.

------- Comment #12 From W-Mark Kubacki 2006-04-26 05:59:49 0000 ------- 
Created an attachment (id=85532) [details]
pam_mysql-0.6_md5_openssl.patch

------- Comment #13 From W-Mark Kubacki 2006-04-26 06:00:20 0000 ------- 
Created an attachment (id=85533) [details]
pam_mysql-0.6_md5_sasl2.patch

------- Comment #14 From Tuan Van (RETIRED) 2006-05-09 12:08:35 0000 ------- 
quoted from http://pam-mysql.sourceforge.net/News/00005.php

Aressed security concerns:

    *

      Possible segmentation fault in the SQL logging facility, which can cause
Denial-of-Service (DoS).
    *

      Flaws in the authentication and authentication token alteration code
where incorrect treatment of the pointer returned by pam_get_item() were
spotted. They can most likely induce DoS or possibly lead to more severe
problems.

security team, please do your check.

------- Comment #15 From Diego E. 'Flameeyes' Pettenò 2006-05-09 12:20:06 0000 ------- 
If this is a security concern I'm for masking and asking for a new maintainer
on g-dev until someone steps up, and deleted when the case.

------- Comment #16 From Sune Kloppenborg Jeppesen 2006-05-09 13:47:05 0000 ------- 
Reassgining to security.

------- Comment #17 From Sune Kloppenborg Jeppesen 2006-05-09 14:02:32 0000 ------- 
Maintainer mail sent to -dev.

------- Comment #18 From Francesco R. (RETIRED) 2006-05-10 03:03:02 0000 ------- 
pam-mysql 0.7RC1 added to the tree, the package now belong to the "mysql" herd,
still need to look in depth at the patches "pam_mysql-0.6_md5_openssl.patch"
and "pam_mysql-0.6_md5_sasl2.patch", these, temporary have _not_ been applyed.

rgds, Francesco Riosa

P.S. I'm using 0.7RC1 from a pair of weeks on amd64

------- Comment #19 From Stefan Cornelius (RETIRED) 2006-05-10 03:21:14 0000 ------- 
vivo, is this ready to be stable?

------- Comment #20 From Francesco R. (RETIRED) 2006-05-10 06:52:27 0000 ------- 
two additional use flag need to be added, "openssl" an "sasl", but need the
usual little modifications to the ebuild and further testing, so better do that
in a "-r1".

As is the package is minimally tested, only amd64, basically I do use it as
auth system on a mail-server where sasl+mysql was not an option.

However it compile and run, so yes it's ready for arch's tester and
stabilization.

------- Comment #21 From Mark Loeser 2006-05-17 17:32:52 0000 ------- 
x86 done

------- Comment #22 From W-Mark Kubacki 2006-05-18 03:11:57 0000 ------- 
Created an attachment (id=86990) [details]
pam_mysql-0.7_rc1.ebuild.md5.patch

Please see the attached patch which addresses the configure bug which prevents
headers for MD5 to be found.

The patch is to be applied on the current ebuild.

I've already published a complete ebuild here: http://svn.ossdl.de/all/ossdl/

------- Comment #23 From Thomas Cort (RETIRED) 2006-05-18 19:37:24 0000 ------- 
alpha done.

I noticed 0.5 is stable on ppc, but 0.7_rc1 is still ~ppc. Maybe they should be
added to CC to stabilize 0.7_rc1 too?

------- Comment #24 From Stefan Cornelius (RETIRED) 2006-05-18 23:30:06 0000 ------- 
ppc please test and stable, thanks. Also thanks to tcort for the headsup

------- Comment #25 From Cyrius 2006-05-19 02:03:41 0000 ------- 
Hello all,

   I'm clearly disapointed and discouraged. I've already done this in the
123405 bugg. 
   Then i don't understand you. Why do you not directly keep those attachments
from 123405 and correct them here ????

   I mean using sed like you want and others ?
   Could you explain your position ?
   That's great to re discover what i've already test and done. 


Cyrius

------- Comment #26 From Tobias Scherbaum 2006-05-19 11:56:47 0000 ------- 
ppc stable

------- Comment #27 From Raphael Marichez 2006-05-30 05:34:00 0000 ------- 
[glsa voting]

OK, i shoot first.

i would vote no glsa.

------- Comment #28 From Wolf Giesen (RETIRED) 2006-05-30 05:38:56 0000 ------- 
Phew. Gut feeling says "no" since I don't really see a big impact. On the other
hand, it's still valid and we don't give anything away by doing a GLSA. So why
not, in doubt count me as "yes".

------- Comment #29 From Dax 2006-05-30 06:07:08 0000 ------- 
I agree with frilled, why not,
vote yes glsa
rgds
daxomatic

------- Comment #30 From Thierry Carrez (RETIRED) 2006-05-30 09:22:42 0000 ------- 
Voting yes

------- Comment #31 From Raphael Marichez 2006-06-08 03:35:14 0000 ------- 
sec-devs, please vote and decide on this B2-maybe. One "yes" would be
sufficient.

------- Comment #32 From Sune Kloppenborg Jeppesen 2006-06-11 12:23:53 0000 ------- 
I vote YES.

------- Comment #33 From Wolf Giesen (RETIRED) 2006-06-12 21:11:08 0000 ------- 
Can we have someone from auditing take a deeper look at what's described as "or
possibly lead to more severe problems"
(http://pam-mysql.sourceforge.net/News/), or does somebody know?

------- Comment #34 From Sune Kloppenborg Jeppesen 2006-06-15 09:14:51 0000 ------- 
Thx everyone.

GLSA 200606-18