Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 120842

Summary: sys-auth/pam_mysql-0.6.2 Denial of Service
Product: Gentoo Security Reporter: Sander Knopper <sander>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: benjamin200, cyrius, hanno, jayson, pam-bugs+disabled, tcort, vivo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://pam-mysql.sourceforge.net/News/
Whiteboard: B2? [glsa] DerCorny
Package list:
Runtime testing required: ---
Bug Depends on: 123405    
Bug Blocks:    
Attachments:
Description Flags
Ebuild proposal for the 0.6.2 pam_mysql
none
Ebuild proposal for the 0.6.2 pam_mysql
none
Ebuild proposal for the 0.7RC1 pam_mysql
none
0.6.2 and 0.7_rc1 versions corrected
none
pam_mysql-0.6.0-to-0.6.2.patch
none
pam_mysql-0.6_md5_openssl.patch
none
pam_mysql-0.6_md5_sasl2.patch
none
pam_mysql-0.7_rc1.ebuild.md5.patch none

Description Sander Knopper 2006-01-29 11:03:28 UTC
I'd appreciate it if someone put the latest stable release from upstream in portage. At the time of writing this is 0.6.2, though work seems to be going on for 0.7.

Thanks in advance!
Comment 1 Cyrius 2006-02-18 03:11:47 UTC
Created attachment 80075 [details]
Ebuild proposal for the 0.6.2 pam_mysql
Comment 2 Cyrius 2006-02-18 03:12:21 UTC
Comment on attachment 80075 [details]
Ebuild proposal for the 0.6.2 pam_mysql

Pleasure to help
Comment 3 Cyrius 2006-02-18 03:20:30 UTC
Created attachment 80076 [details]
Ebuild proposal for the 0.6.2 pam_mysql

Header line corrected to respect the ebuild documentation
Pleasure to help
Comment 4 Cyrius 2006-02-18 03:32:17 UTC
Created attachment 80078 [details]
Ebuild proposal for the 0.7RC1 pam_mysql

Pleasure to help
Comment 5 Cyrius 2006-02-18 10:12:12 UTC
I had a look on the sasl2 and openssl options.
Ok, it won't work in this state. 
The configure file search about some directories which don't exist.
I don't understand why. So if someone could help ...
Comment 6 Cyrius 2006-02-19 09:25:07 UTC
Created attachment 80193 [details]
0.6.2 and 0.7_rc1 versions corrected

Hi guys,

   I hope to have corrected thoses version to take in account sasl2 and openssl.
   In fact this module was done on the Debian distrib and never found the necessary includes and c functions to correctly link with ssl or sasl.
   So, i hope to have corectly modified the necessary files.
   

   Would it be possible that someone test it please ?

Cyrius
Comment 7 Cyrius 2006-02-19 10:00:09 UTC
Comment on attachment 80193 [details]
0.6.2 and 0.7_rc1 versions corrected

see bug 123405
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-21 08:50:18 UTC
*** Bug 85787 has been marked as a duplicate of this bug. ***
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-21 08:57:42 UTC
*** Bug 104967 has been marked as a duplicate of this bug. ***
Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-21 09:02:11 UTC
*** Bug 123405 has been marked as a duplicate of this bug. ***
Comment 11 W-Mark Kubacki 2006-04-26 05:58:18 UTC
Created attachment 85531 [details, diff]
pam_mysql-0.6.0-to-0.6.2.patch

I'd like to contribute this patch against pam_mysql-0.6.0.ebuild.

It not only is a version bump but provides a workaround against the configure bug which prevents headers for MD5 to be found. MD5-support (crypt=3) works.
Comment 12 W-Mark Kubacki 2006-04-26 05:59:49 UTC
Created attachment 85532 [details, diff]
pam_mysql-0.6_md5_openssl.patch
Comment 13 W-Mark Kubacki 2006-04-26 06:00:20 UTC
Created attachment 85533 [details, diff]
pam_mysql-0.6_md5_sasl2.patch
Comment 14 Tuan Van (RETIRED) gentoo-dev 2006-05-09 12:08:35 UTC
quoted from http://pam-mysql.sourceforge.net/News/00005.php

Aressed security concerns:

    *

      Possible segmentation fault in the SQL logging facility, which can cause Denial-of-Service (DoS).
    *

      Flaws in the authentication and authentication token alteration code where incorrect treatment of the pointer returned by pam_get_item() were spotted. They can most likely induce DoS or possibly lead to more severe problems.

security team, please do your check.
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-05-09 12:20:06 UTC
If this is a security concern I'm for masking and asking for a new maintainer on g-dev until someone steps up, and deleted when the case.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-09 13:47:05 UTC
Reassgining to security.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-09 14:02:32 UTC
Maintainer mail sent to -dev.
Comment 18 Francesco R. (RETIRED) gentoo-dev 2006-05-10 03:03:02 UTC
pam-mysql 0.7RC1 added to the tree, the package now belong to the "mysql" herd, still need to look in depth at the patches "pam_mysql-0.6_md5_openssl.patch" and "pam_mysql-0.6_md5_sasl2.patch", these, temporary have _not_ been applyed.

rgds, Francesco Riosa

P.S. I'm using 0.7RC1 from a pair of weeks on amd64
Comment 19 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-10 03:21:14 UTC
vivo, is this ready to be stable?
Comment 20 Francesco R. (RETIRED) gentoo-dev 2006-05-10 06:52:27 UTC
two additional use flag need to be added, "openssl" an "sasl", but need the usual little modifications to the ebuild and further testing, so better do that in a "-r1".

As is the package is minimally tested, only amd64, basically I do use it as auth system on a mail-server where sasl+mysql was not an option.

However it compile and run, so yes it's ready for arch's tester and stabilization.
Comment 21 Mark Loeser (RETIRED) gentoo-dev 2006-05-17 17:32:52 UTC
x86 done
Comment 22 W-Mark Kubacki 2006-05-18 03:11:57 UTC
Created attachment 86990 [details, diff]
pam_mysql-0.7_rc1.ebuild.md5.patch

Please see the attached patch which addresses the configure bug which prevents headers for MD5 to be found.

The patch is to be applied on the current ebuild.

I've already published a complete ebuild here: http://svn.ossdl.de/all/ossdl/
Comment 23 Thomas Cort (RETIRED) gentoo-dev 2006-05-18 19:37:24 UTC
alpha done.

I noticed 0.5 is stable on ppc, but 0.7_rc1 is still ~ppc. Maybe they should be added to CC to stabilize 0.7_rc1 too?
Comment 24 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-18 23:30:06 UTC
ppc please test and stable, thanks. Also thanks to tcort for the headsup
Comment 25 Cyrius 2006-05-19 02:03:41 UTC
Hello all,

   I'm clearly disapointed and discouraged. I've already done this in the 123405 bugg. 
   Then i don't understand you. Why do you not directly keep those attachments from 123405 and correct them here ????

   I mean using sed like you want and others ?
   Could you explain your position ?
   That's great to re discover what i've already test and done. 


Cyrius
Comment 26 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-19 11:56:47 UTC
ppc stable
Comment 27 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-30 05:34:00 UTC
[glsa voting]

OK, i shoot first.

i would vote no glsa.
Comment 28 Wolf Giesen (RETIRED) gentoo-dev 2006-05-30 05:38:56 UTC
Phew. Gut feeling says "no" since I don't really see a big impact. On the other hand, it's still valid and we don't give anything away by doing a GLSA. So why not, in doubt count me as "yes".
Comment 29 Dax 2006-05-30 06:07:08 UTC
I agree with frilled, why not,
vote yes glsa
rgds
daxomatic
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 09:22:42 UTC
Voting yes
Comment 31 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-08 03:35:14 UTC
sec-devs, please vote and decide on this B2-maybe. One "yes" would be sufficient.
Comment 32 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-11 12:23:53 UTC
I vote YES.
Comment 33 Wolf Giesen (RETIRED) gentoo-dev 2006-06-12 21:11:08 UTC
Can we have someone from auditing take a deeper look at what's described as "or possibly lead to more severe problems" (http://pam-mysql.sourceforge.net/News/), or does somebody know?
Comment 34 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-15 09:14:51 UTC
Thx everyone.

GLSA 200606-18