Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261512 (CVE-2009-0887) - <sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (CVE-2009-0887)
Summary: <sys-libs/pam-1.0.4 pam_succeed_if non-ascii usernames privilege escalation (...
Alias: CVE-2009-0887
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: CVE-2009-0579
  Show dependency tree
Reported: 2009-03-07 00:25 UTC by Robert Buchholz (RETIRED)
Modified: 2009-09-07 00:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:25:16 UTC
On Thursday 05 March 2009, Jan Lieskovsky wrote:
  Marcus Granado recently reported a security issue in 
libpam related to parsing of non-ascii usernames in
the Pam configuration files. Attaching his report for
more details.

Affected version: pam <= 1.0.3

Link to SCM repo:

Could you please allocate a new CVE id for it?
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-03-07 00:29:08 UTC
ebuild? If this is <= 1.0.3 (and it seems to be from the CVS logs), this is getting stabled together with bug #261108.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:47:54 UTC
correct, the patch is applied in 1.0.3 -- my fault.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-12 21:06:08 UTC
CVE-2009-0887 (
  Integer signedness error in the _pam_StrTok function in
  libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
  configuration file contains non-ASCII usernames, might allow remote
  attackers to cause a denial of service, and might allow remote
  authenticated users to obtain login access with a different user's
  non-ASCII username, via a login attempt.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 13:00:09 UTC
i vote YES
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:01:55 UTC
YES, too. Request filed.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-07 00:59:27 UTC
GLSA 200909-01