Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 153916 - sys-auth/pam_ldap < 183 Authentication Bypass (CVE-2006-5170)
Summary: sys-auth/pam_ldap < 183 Authentication Bypass (CVE-2006-5170)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://bugzilla.padl.com/show_bug.cgi...
Whiteboard: A4? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-03 03:44 UTC by Matt Drew (RETIRED)
Modified: 2019-12-29 11:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2006-11-03 03:44:02 UTC
http://secunia.com/advisories/22682/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5170

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207286

An apparently new problem related to the same LDAP PasswordPolicyResponse message - allows locked users access with no password.  Solution is to upgrade to version 183.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 22:44:38 UTC
pam-bugs please advise.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 08:22:51 UTC
pam-bugs please advise.
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-12-11 12:22:08 UTC
in tree now.
arches, please stabilize
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 12:52:34 UTC
Thx Robbat.
Comment 5 Dustin J. Mitchell 2006-12-11 16:15:37 UTC
All combinations of USE flags emerge on amd64.  With all USE flags set,
manages to authenticate against an LDAP server (whew! was that a lot of work
to set up!):

  AT htdocs # getent passwd | grep 0:0
  root:x:0:0:root:/root:/bin/bash
  root:x:0:0:root:/root:/bin/bash

So I'd say amd64's ready to stable.

Gentoo Base System version 1.12.5
Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.15-gentoo-r72006040301 x86_64)
=================================================================
System uname: 2.6.15-gentoo-r72006040301 x86_64 AMD Athlon(tm) 64 Processor 3700+
Last Sync: Mon, 11 Dec 2006 21:50:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect confcache digest distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://209.59.138.21/gentoo-portage"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_apm video_cards_ark video_cards_ati video_cards_chips video_cards_cirrus video_cards_cyrix video_cards_dummy video_cards_fbdev video_cards_glint video_cards_i128 video_cards_i810 video_cards_mga video_cards_neomagic video_cards_nv video_cards_rendition video_cards_s3 video_cards_s3virge video_cards_savage video_cards_siliconmotion video_cards_sis video_cards_sisusb video_cards_tdfx video_cards_tga video_cards_trident video_cards_tseng video_cards_v4l video_cards_vesa video_cards_vga video_cards_via video_cards_vmware video_cards_voodoo xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 6 Brent Baude (RETIRED) gentoo-dev 2006-12-11 17:07:53 UTC
ppc64 done
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2006-12-11 21:45:15 UTC
x86 done
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-12-12 05:09:43 UTC
sparc stable.
Comment 9 Peter Weller (RETIRED) gentoo-dev 2006-12-12 11:39:26 UTC
AMD64 gone :)
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-13 08:25:08 UTC
ppc stable
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-13 10:48:21 UTC
Stable on Alpha.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-15 07:54:52 UTC
i vote GLSA
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-15 08:09:00 UTC
I vote for a GLSA too, though last time I looked hppa was security supported:-)
Comment 14 Wolf Giesen (RETIRED) gentoo-dev 2006-12-15 10:22:28 UTC
definite yes here
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2006-12-17 13:55:10 UTC
stable on hppa. Sorry for the delay.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-17 22:19:02 UTC
This one is ready for GLSA.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-21 05:46:48 UTC
GLSA 200612-19 , thanks everybody!