On Thursday 05 March 2009, Jan Lieskovsky wrote: Marcus Granado recently reported a security issue in libpam related to parsing of non-ascii usernames in the Pam configuration files. Attaching his report for more details. Affected version: pam <= 1.0.3 Link to SCM repo: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?view=log Patch: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?r1=1.9&r2=1.10&view=patch Could you please allocate a new CVE id for it?
ebuild? If this is <= 1.0.3 (and it seems to be from the CVS logs), this is getting stabled together with bug #261108.
correct, the patch is applied in 1.0.3 -- my fault.
CVE-2009-0887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0887): Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt.
i vote YES
YES, too. Request filed.
GLSA 200909-01
