Gentoo Bug 261512 - <sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (CVE-2009-0887)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	261512
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 261512 depends on:	261108		Show dependency tree
Bug 261512 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2009-03-07 00:25 0000

On Thursday 05 March 2009, Jan Lieskovsky wrote:
  Marcus Granado recently reported a security issue in 
libpam related to parsing of non-ascii usernames in
the Pam configuration files. Attaching his report for
more details.

Affected version: pam <= 1.0.3

Link to SCM repo:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?view=log
Patch:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?r1=1.9&amp;r2=1.10&amp;view=patch


Could you please allocate a new CVE id for it?

------- Comment #1 From Diego E. 'Flameeyes' Pettenò 2009-03-07 00:29:08 0000 -------

ebuild? If this is <= 1.0.3 (and it seems to be from the CVS logs), this is
getting stabled together with bug #261108.

------- Comment #2 From Robert Buchholz 2009-03-07 00:47:54 0000 -------

correct, the patch is applied in 1.0.3 -- my fault.

------- Comment #3 From Stefan Behte 2009-03-12 21:06:08 0000 -------

CVE-2009-0887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0887):
  Integer signedness error in the _pam_StrTok function in
  libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
  configuration file contains non-ASCII usernames, might allow remote
  attackers to cause a denial of service, and might allow remote
  authenticated users to obtain login access with a different user's
  non-ASCII username, via a login attempt.

------- Comment #4 From Robert Buchholz 2009-07-10 13:00:09 0000 -------

i vote YES

------- Comment #5 From Stefan Behte 2009-07-10 18:01:55 0000 -------

YES, too. Request filed.

------- Comment #6 From Alex Legler 2009-09-07 00:59:27 0000 -------

GLSA 200909-01

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 261512

<sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (CVE-2009-0887)

Last modified: 2009-09-07 00:59:27 0000