From $URL : Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might allow login with any password the SQL query for the password returns NULL. Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/> Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>
Attaching patch from upstream.
Created attachment 365952 [details, diff] pam-pgsql-0.7.3.1-nullpassword.patch
CVE-2013-0191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0191): libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value returned by the password search query, which allows remote attackers to bypass authentication via a crafted password.
No response/bump/patch in 3 years. Candidate for tree cleaning. Will PMASK within the week.
0.7.3.2 now in the tree
@Mike, thanks for the quick bump. Please cleanup the vulnerable versions. Thank you.
@Mike, is this capable of being cleaned? Let me know and I will clean the vulnerable if need be. Thanks.
(In reply to Aaron Bauman from comment #7) feel free
commit 3d30be66165c07dc48c59c8be8b1376984193288 Author: Aaron Bauman <bman@gentoo.org> Date: Wed Mar 30 14:50:10 2016 +0900 sys-auth/pam-pgsql: remove vulnerable versions per bug 452652. Fix ebuild header line 3 Package-Manager: portage-2.2.26