On Thursday 05 March 2009, Jan Lieskovsky wrote:
Marcus Granado recently reported a security issue in
libpam related to parsing of non-ascii usernames in
the Pam configuration files. Attaching his report for
Affected version: pam <= 1.0.3
Link to SCM repo: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?view=log
Could you please allocate a new CVE id for it?
ebuild? If this is <= 1.0.3 (and it seems to be from the CVS logs), this is getting stabled together with bug #261108.
correct, the patch is applied in 1.0.3 -- my fault.
Integer signedness error in the _pam_StrTok function in
libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
configuration file contains non-ASCII usernames, might allow remote
attackers to cause a denial of service, and might allow remote
authenticated users to obtain login access with a different user's
non-ASCII username, via a login attempt.
i vote YES
YES, too. Request filed.