| Summary: | sys-libs/pam-0.78-r2 and pam_userdb denial of service | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Spider (RETIRED) <spider> |
| Component: | [OLD] Core system | Assignee: | PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled> |
| Status: | RESOLVED TEST-REQUEST | ||
| Severity: | normal | CC: | azarah, flameeyes, robbat2 |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | pam-0.78-userdb-cript.patch | ||
|
Description
Spider (RETIRED)
2005-10-02 08:04:01 UTC
not sure if this really is a security issue or not, however please provide a fixed package. Created attachment 76894 [details, diff]
pam-0.78-userdb-cript.patch
Can someone test if this works? I don't have pam_userdb setup here to test.
Opening bug, this is known in the public. I found a patch that seems to fix another similar issue here, maybe we also need that one. http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/pam_userdb/pam_userdb.c?r1=1.16&r2=1.18 AFAICT this is not a vulnerability, it's just a bug. Bad config => no login allowed. Reassigning. So as I'm probably not going to try preparing ebuilds for pam 0.81 now (as I don't have the free time to start looking at it so much to make its build system sane), can someone please test the patch I've tried to prepare? The one in the ViewCVS does not apply over current sources (or I would have applied it with -r4). See above, a test might be handy, but anyway 0.99 is in tree p.masked -* until it can be fixed. |