452652 – (CVE-2013-0191) <sys-auth/pam-pgsql-0.7.3.2: NULL password handling issue (CVE-2013-0191)

Bug 452652 (CVE-2013-0191) - <sys-auth/pam-pgsql-0.7.3.2: NULL password handling issue (CVE-2013-0191)

Summary: <sys-auth/pam-pgsql-0.7.3.2: NULL password handling issue (CVE-2013-0191)

Status:	RESOLVED FIXED

Alias:	CVE-2013-0191

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-01-17 10:37 UTC by Agostino Sarubbo
Modified:	2016-03-30 05:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
pam-pgsql-0.7.3.1-nullpassword.patch (pam-pgsql-0.7.3.1-nullpassword.patch,442 bytes, patch) 2013-12-23 03:55 UTC, Samuel Damashek (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-01-17 10:37:44 UTC

From $URL :

Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might
allow login with any password the SQL query for the password returns
NULL.

Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/>
Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>

Comment 1 Samuel Damashek (RETIRED) gentoo-dev

2013-12-23 03:54:25 UTC

Attaching patch from upstream.

Comment 2 Samuel Damashek (RETIRED) gentoo-dev

2013-12-23 03:55:05 UTC

Created attachment 365952 [details, diff]
pam-pgsql-0.7.3.1-nullpassword.patch

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2014-08-19 22:34:17 UTC

CVE-2013-0191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0191):
  libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a NULL value
  returned by the password search query, which allows remote attackers to
  bypass authentication via a crafted password.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2016-03-29 07:02:50 UTC

No response/bump/patch in 3 years.  Candidate for tree cleaning.  Will PMASK within the week.

Comment 5 SpanKY gentoo-dev

2016-03-29 08:49:26 UTC

0.7.3.2 now in the tree

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-03-29 09:08:38 UTC

@Mike, thanks for the quick bump.  Please cleanup the vulnerable versions.  Thank you.

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2016-03-30 00:34:07 UTC

@Mike, is this capable of being cleaned?  Let me know and I will clean the vulnerable if need be.  Thanks.

Comment 8 SpanKY gentoo-dev

2016-03-30 02:13:39 UTC

(In reply to Aaron Bauman from comment #7)

feel free

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2016-03-30 05:51:43 UTC

commit 3d30be66165c07dc48c59c8be8b1376984193288
Author: Aaron Bauman <bman@gentoo.org>
Date:   Wed Mar 30 14:50:10 2016 +0900

    sys-auth/pam-pgsql: remove vulnerable versions per bug 452652.  Fix ebuild header line 3
    
    Package-Manager: portage-2.2.26