[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE id request: libpam-pgsql
From: Nico Golde <oss-security+ml () ngolde ! de>
Date: 2008-05-24 20:37:45
Message-ID: 20080524203745.GA14969 () ngolde ! de
[Download RAW message or body]
Hi,
it was discovered that a programming error in libpam-pgsql
(value always being evaluated as true because of a missing
bracket) enables an attacker to get root access for example
by pressing ctrl-c after calling sudo.
This change was introduced somewhere between version 0.5.2
and 0.6.2 (maybe earlier).
This is Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970
Note: this only leads to direct root access if the
authentication using this pam module is configured as
sufficient.
Patch:
Index: pam-pgsql-0.6.3/pam_pgsql.c
===================================================================
--- pam-pgsql-0.6.3.orig/pam_pgsql.c 2008-05-24 19:37:21.000000000 +0200
+++ pam-pgsql-0.6.3/pam_pgsql.c 2008-05-24 19:43:17.000000000 +0200
@@ -583,7 +583,7 @@
if ((rc = pam_get_user(pamh, &user, NULL)) == PAM_SUCCESS) {
if ((rc = get_module_options(argc, argv, &options)) == PAM_SUCCESS) {
DBGLOG("attempting to authenticate: %s", user);
- if ((rc = pam_get_pass(pamh, PAM_AUTHTOK, &password, \
PASSWORD_PROMPT, options->std_flags) == PAM_SUCCESS)) { + if ((rc \
= pam_get_pass(pamh, PAM_AUTHTOK, &password, PASSWORD_PROMPT, options->std_flags)) == \
PAM_SUCCESS) {
if ((rc = auth_verify_password(pam_get_service(pamh), \
user, password, rhost, options)) == PAM_SUCCESS) {
if ((password == 0 || *password == 0) && (flags \
& PAM_DISALLOW_NULL_AUTHTOK)) {
rc = PAM_AUTH_ERR;
Can I get a CVE id for this one please?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic