Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 452652 (CVE-2013-0191)

Summary: <sys-auth/pam-pgsql-0.7.3.2: NULL password handling issue (CVE-2013-0191)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: pam-bugs+disabled, vapier
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/01/15/7
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pam-pgsql-0.7.3.1-nullpassword.patch none

Description Agostino Sarubbo gentoo-dev 2013-01-17 10:37:44 UTC 
From $URL :

Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might
allow login with any password the SQL query for the password returns
NULL.

Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/>
Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>
Comment 1 Samuel Damashek (RETIRED) gentoo-dev 2013-12-23 03:54:25 UTC 
Attaching patch from upstream.
Comment 2 Samuel Damashek (RETIRED) gentoo-dev 2013-12-23 03:55:05 UTC 
Created attachment 365952 [details, diff]
pam-pgsql-0.7.3.1-nullpassword.patch
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 22:34:17 UTC 
CVE-2013-0191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0191):
  libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value
  returned by the password search query, which allows remote attackers to
  bypass authentication via a crafted password.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 07:02:50 UTC 
No response/bump/patch in 3 years.  Candidate for tree cleaning.  Will PMASK within the week.
Comment 5 SpanKY gentoo-dev 2016-03-29 08:49:26 UTC 
0.7.3.2 now in the tree
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-29 09:08:38 UTC 
@Mike, thanks for the quick bump.  Please cleanup the vulnerable versions.  Thank you.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-30 00:34:07 UTC 
@Mike, is this capable of being cleaned?  Let me know and I will clean the vulnerable if need be.  Thanks.
Comment 8 SpanKY gentoo-dev 2016-03-30 02:13:39 UTC 
(In reply to Aaron Bauman from comment #7)

feel free
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-03-30 05:51:43 UTC 
commit 3d30be66165c07dc48c59c8be8b1376984193288
Author: Aaron Bauman <bman@gentoo.org>
Date:   Wed Mar 30 14:50:10 2016 +0900

    sys-auth/pam-pgsql: remove vulnerable versions per bug 452652.  Fix ebuild header line 3
    
    Package-Manager: portage-2.2.26