Summary: | <sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (CVE-2009-0887) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pam-bugs+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://thread.gmane.org/gmane.comp.security.oss.general/1543 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 261108 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2009-03-07 00:25:16 UTC
ebuild? If this is <= 1.0.3 (and it seems to be from the CVS logs), this is getting stabled together with bug #261108. correct, the patch is applied in 1.0.3 -- my fault. CVE-2009-0887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0887): Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt. i vote YES YES, too. Request filed. GLSA 200909-01 |