|Summary:||sys-auth/pam_mysql-0.6.2 Denial of Service|
|Product:||Gentoo Security||Reporter:||Sander Knopper <sander>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||enhancement||CC:||benjamin200, cyrius, hanno, jayson, pam-bugs+disabled, tcort, vivo|
|Whiteboard:||B2? [glsa] DerCorny|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||123405|
Description Sander Knopper 2006-01-29 11:03:28 UTC
I'd appreciate it if someone put the latest stable release from upstream in portage. At the time of writing this is 0.6.2, though work seems to be going on for 0.7. Thanks in advance!
Comment 1 Cyrius 2006-02-18 03:11:47 UTC
Created attachment 80075 [details] Ebuild proposal for the 0.6.2 pam_mysql
Comment 2 Cyrius 2006-02-18 03:12:21 UTC
Comment on attachment 80075 [details] Ebuild proposal for the 0.6.2 pam_mysql Pleasure to help
Comment 3 Cyrius 2006-02-18 03:20:30 UTC
Created attachment 80076 [details] Ebuild proposal for the 0.6.2 pam_mysql Header line corrected to respect the ebuild documentation Pleasure to help
Comment 4 Cyrius 2006-02-18 03:32:17 UTC
Created attachment 80078 [details] Ebuild proposal for the 0.7RC1 pam_mysql Pleasure to help
Comment 5 Cyrius 2006-02-18 10:12:12 UTC
I had a look on the sasl2 and openssl options. Ok, it won't work in this state. The configure file search about some directories which don't exist. I don't understand why. So if someone could help ...
Comment 6 Cyrius 2006-02-19 09:25:07 UTC
Created attachment 80193 [details] 0.6.2 and 0.7_rc1 versions corrected Hi guys, I hope to have corrected thoses version to take in account sasl2 and openssl. In fact this module was done on the Debian distrib and never found the necessary includes and c functions to correctly link with ssl or sasl. So, i hope to have corectly modified the necessary files. Would it be possible that someone test it please ? Cyrius
Comment 7 Cyrius 2006-02-19 10:00:09 UTC
Comment on attachment 80193 [details] 0.6.2 and 0.7_rc1 versions corrected see bug 123405
Comment 8 Diego Elio Pettenò (RETIRED) 2006-04-21 08:50:18 UTC
*** Bug 85787 has been marked as a duplicate of this bug. ***
Comment 9 Diego Elio Pettenò (RETIRED) 2006-04-21 08:57:42 UTC
*** Bug 104967 has been marked as a duplicate of this bug. ***
Comment 10 Diego Elio Pettenò (RETIRED) 2006-04-21 09:02:11 UTC
*** Bug 123405 has been marked as a duplicate of this bug. ***
Comment 11 W-Mark Kubacki 2006-04-26 05:58:18 UTC
Created attachment 85531 [details, diff] pam_mysql-0.6.0-to-0.6.2.patch I'd like to contribute this patch against pam_mysql-0.6.0.ebuild. It not only is a version bump but provides a workaround against the configure bug which prevents headers for MD5 to be found. MD5-support (crypt=3) works.
Comment 12 W-Mark Kubacki 2006-04-26 05:59:49 UTC
Created attachment 85532 [details, diff] pam_mysql-0.6_md5_openssl.patch
Comment 13 W-Mark Kubacki 2006-04-26 06:00:20 UTC
Created attachment 85533 [details, diff] pam_mysql-0.6_md5_sasl2.patch
Comment 14 Tuan Van (RETIRED) 2006-05-09 12:08:35 UTC
quoted from http://pam-mysql.sourceforge.net/News/00005.php Aressed security concerns: * Possible segmentation fault in the SQL logging facility, which can cause Denial-of-Service (DoS). * Flaws in the authentication and authentication token alteration code where incorrect treatment of the pointer returned by pam_get_item() were spotted. They can most likely induce DoS or possibly lead to more severe problems. security team, please do your check.
Comment 15 Diego Elio Pettenò (RETIRED) 2006-05-09 12:20:06 UTC
If this is a security concern I'm for masking and asking for a new maintainer on g-dev until someone steps up, and deleted when the case.
Comment 16 Sune Kloppenborg Jeppesen 2006-05-09 13:47:05 UTC
Reassgining to security.
Comment 17 Sune Kloppenborg Jeppesen 2006-05-09 14:02:32 UTC
Maintainer mail sent to -dev.
Comment 18 Francesco R. (RETIRED) 2006-05-10 03:03:02 UTC
pam-mysql 0.7RC1 added to the tree, the package now belong to the "mysql" herd, still need to look in depth at the patches "pam_mysql-0.6_md5_openssl.patch" and "pam_mysql-0.6_md5_sasl2.patch", these, temporary have _not_ been applyed. rgds, Francesco Riosa P.S. I'm using 0.7RC1 from a pair of weeks on amd64
Comment 19 Stefan Cornelius (RETIRED) 2006-05-10 03:21:14 UTC
vivo, is this ready to be stable?
Comment 20 Francesco R. (RETIRED) 2006-05-10 06:52:27 UTC
two additional use flag need to be added, "openssl" an "sasl", but need the usual little modifications to the ebuild and further testing, so better do that in a "-r1". As is the package is minimally tested, only amd64, basically I do use it as auth system on a mail-server where sasl+mysql was not an option. However it compile and run, so yes it's ready for arch's tester and stabilization.
Comment 21 Mark Loeser (RETIRED) 2006-05-17 17:32:52 UTC
Comment 22 W-Mark Kubacki 2006-05-18 03:11:57 UTC
Created attachment 86990 [details, diff] pam_mysql-0.7_rc1.ebuild.md5.patch Please see the attached patch which addresses the configure bug which prevents headers for MD5 to be found. The patch is to be applied on the current ebuild. I've already published a complete ebuild here: http://svn.ossdl.de/all/ossdl/
Comment 23 Thomas Cort (RETIRED) 2006-05-18 19:37:24 UTC
alpha done. I noticed 0.5 is stable on ppc, but 0.7_rc1 is still ~ppc. Maybe they should be added to CC to stabilize 0.7_rc1 too?
Comment 24 Stefan Cornelius (RETIRED) 2006-05-18 23:30:06 UTC
ppc please test and stable, thanks. Also thanks to tcort for the headsup
Comment 25 Cyrius 2006-05-19 02:03:41 UTC
Hello all, I'm clearly disapointed and discouraged. I've already done this in the 123405 bugg. Then i don't understand you. Why do you not directly keep those attachments from 123405 and correct them here ???? I mean using sed like you want and others ? Could you explain your position ? That's great to re discover what i've already test and done. Cyrius
Comment 26 Tobias Scherbaum (RETIRED) 2006-05-19 11:56:47 UTC
Comment 27 Raphael Marichez (Falco) (RETIRED) 2006-05-30 05:34:00 UTC
[glsa voting] OK, i shoot first. i would vote no glsa.
Comment 28 Wolf Giesen (RETIRED) 2006-05-30 05:38:56 UTC
Phew. Gut feeling says "no" since I don't really see a big impact. On the other hand, it's still valid and we don't give anything away by doing a GLSA. So why not, in doubt count me as "yes".
Comment 29 Dax 2006-05-30 06:07:08 UTC
I agree with frilled, why not, vote yes glsa rgds daxomatic
Comment 30 Thierry Carrez (RETIRED) 2006-05-30 09:22:42 UTC
Comment 31 Raphael Marichez (Falco) (RETIRED) 2006-06-08 03:35:14 UTC
sec-devs, please vote and decide on this B2-maybe. One "yes" would be sufficient.
Comment 32 Sune Kloppenborg Jeppesen 2006-06-11 12:23:53 UTC
I vote YES.
Comment 33 Wolf Giesen (RETIRED) 2006-06-12 21:11:08 UTC
Can we have someone from auditing take a deeper look at what's described as "or possibly lead to more severe problems" (http://pam-mysql.sourceforge.net/News/), or does somebody know?
Comment 34 Sune Kloppenborg Jeppesen 2006-06-15 09:14:51 UTC
Thx everyone. GLSA 200606-18