Summary: | <sys-auth/pam-pgsql-0.7.3.2: NULL password handling issue (CVE-2013-0191) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | trivial | CC: | pam-bugs+disabled, vapier | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.openwall.com/lists/oss-security/2013/01/15/7 | ||||||
Whiteboard: | ~3 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Agostino Sarubbo
2013-01-17 10:37:44 UTC
Attaching patch from upstream. Created attachment 365952 [details, diff]
pam-pgsql-0.7.3.1-nullpassword.patch
CVE-2013-0191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0191): libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value returned by the password search query, which allows remote attackers to bypass authentication via a crafted password. No response/bump/patch in 3 years. Candidate for tree cleaning. Will PMASK within the week. 0.7.3.2 now in the tree @Mike, thanks for the quick bump. Please cleanup the vulnerable versions. Thank you. @Mike, is this capable of being cleaned? Let me know and I will clean the vulnerable if need be. Thanks. (In reply to Aaron Bauman from comment #7) feel free commit 3d30be66165c07dc48c59c8be8b1376984193288 Author: Aaron Bauman <bman@gentoo.org> Date: Wed Mar 30 14:50:10 2016 +0900 sys-auth/pam-pgsql: remove vulnerable versions per bug 452652. Fix ebuild header line 3 Package-Manager: portage-2.2.26 |