Bug#481970: marked as done (libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.)

To: Michael Schutte <m.schutte.jr@gmail.com>
Subject: Bug#481970: marked as done (libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 24 May 2008 20:51:28 +0000
Message-id: <[🔎] handler.481970.D481970.121166208230229.ackdone@bugs.debian.org>
References: <E1K00e3-0004aD-UW@ries.debian.org> <[🔎] 20080519200428.6712.3511.reportbug@io.link-m.de>

Your message dated Sat, 24 May 2008 20:47:15 +0000
with message-id <E1K00e3-0004aD-UW@ries.debian.org>
and subject line Bug#481970: fixed in pam-pgsql 0.6.3-2
has caused the Debian Bug report #481970,
regarding libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
481970: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.
From: Julian Mehnle <julian@mehnle.net>
Date: Mon, 19 May 2008 20:04:29 +0000
Message-id: <[🔎] 20080519200428.6712.3511.reportbug@io.link-m.de>

Package: libpam-pgsql
Version: 0.6.3-1
Severity: critical
Tags: security
Justification: root security hole

I recently upgraded libpam-pgsql to 0.6.3-1.  I now noticed that
pressing <Ctrl+C> during libpam-pgsql's authentication phase, e.g., when
sudo is asking for the user's password, erroneously causes sudo to
succeed as if the user had entered the correct password, IF pam_pgsql.so
has been configured as a "sufficient" authentication module in the
system's PAM setup.

I am attaching my /etc/pam.d/common-auth and /etc/pam.d/sudo files for
illustration.  Only the former has been changed from the PAM defaults.

Here's a transcript demonstrating the effect:

| io:~> id
| uid=1004(julian) gid=100(users) groups=0(root),4(adm),8(mail),32(postgres),40(src),50(staff),100(users),[...]
| io:~> sudo -k
| io:~> sudo id
| [sudo] password for julian: ^C
| uid=0(root) gid=0(root) groups=0(root),4(adm)

Even though pam_pgsql.so is not configured as a "sufficient" auth module
by default, I consider this a critical security issue in the libpam-
pgsql package.  Feel free to downgrade the severity if you think
otherwise.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (600, 'testing'), (90, 'unstable')
Architecture: i386 (i586)

Kernel: Linux 2.6.24-1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-pgsql depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libmhash2                     0.9.9-1    Library for cryptographic hashing 
ii  libpam0g                      0.99.7.1-6 Pluggable Authentication Modules l
ii  libpq5                        8.3.1-1    PostgreSQL C client library

libpam-pgsql recommends no packages.

-- no debconf information

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#

# USM login authentication
auth    sufficient      pam_pgsql.so table=auth.login

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth    required        pam_unix.so nullok try_first_pass

#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so

--- End Message ---

--- Begin Message ---

To: 481970-close@bugs.debian.org
Subject: Bug#481970: fixed in pam-pgsql 0.6.3-2
From: Michael Schutte <m.schutte.jr@gmail.com>
Date: Sat, 24 May 2008 20:47:15 +0000
Message-id: <E1K00e3-0004aD-UW@ries.debian.org>

Source: pam-pgsql
Source-Version: 0.6.3-2

We believe that the bug you reported is fixed in the latest version of
pam-pgsql, which is due to be installed in the Debian FTP archive:

libpam-pgsql_0.6.3-2_amd64.deb
  to pool/main/p/pam-pgsql/libpam-pgsql_0.6.3-2_amd64.deb
pam-pgsql_0.6.3-2.diff.gz
  to pool/main/p/pam-pgsql/pam-pgsql_0.6.3-2.diff.gz
pam-pgsql_0.6.3-2.dsc
  to pool/main/p/pam-pgsql/pam-pgsql_0.6.3-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 481970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Schutte <m.schutte.jr@gmail.com> (supplier of updated pam-pgsql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 24 May 2008 22:30:02 +0200
Source: pam-pgsql
Binary: libpam-pgsql
Architecture: source amd64
Version: 0.6.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Michael Schutte <m.schutte.jr@gmail.com>
Description: 
 libpam-pgsql - PAM module to authenticate using a PostgreSQL database
Closes: 481970
Changes: 
 pam-pgsql (0.6.3-2) unstable; urgency=high
 .
   * High-urgency QA upload to get security fix into testing.
   * Fix upstream security issue that granted root access when pressing Ctrl-C
     in sudo’s authentication conversation, closes: #481970.  The problem was
     caused by a mistake in operator precedence leading to a pam_get_pass call
     always being considered successful; it is fixed by adding a level of
     parentheses.
Checksums-Sha1: 
 78c783543a76baa7b28f285346215b9c976659a8 1082 pam-pgsql_0.6.3-2.dsc
 12d86f585362f87e803668544413ca3c22b69072 5106 pam-pgsql_0.6.3-2.diff.gz
 b867a431f7229ad005de8453af03b17ce4f9b8f0 17178 libpam-pgsql_0.6.3-2_amd64.deb
Checksums-Sha256: 
 95acadfe56318b7fed4a24edc02bdbb3c1a2cec3b90f1a08a1a113fbc7a3e454 1082 pam-pgsql_0.6.3-2.dsc
 9e9195eb9f94ba66d3463e69e18c44c5b0a37ef393da4025c2e9aa3eaa8e1ecd 5106 pam-pgsql_0.6.3-2.diff.gz
 6e262c9d4f232f6ef48f9c9e86617b8b94fe8d6657f3365a0da1af47e6f8aff3 17178 libpam-pgsql_0.6.3-2_amd64.deb
Files: 
 739450cdd245fd211f671c11ef2fcdd0 1082 admin extra pam-pgsql_0.6.3-2.dsc
 b5723e7ce8cfea41f4234185195d28b2 5106 admin extra pam-pgsql_0.6.3-2.diff.gz
 4c035ce8229e7c5714d22a3901f41cf0 17178 admin extra libpam-pgsql_0.6.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIOH0JHYflSXNkfP8RAvu0AJ0YGpwf0ob+Lz9GnwgXDDRUEod4TACgjfMd
GxXJdOex/AUrm9/9FMhL95g=
=FoT5
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#481970: libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.
  - From: Julian Mehnle <julian@mehnle.net>

Prev by Date: pam-pgsql_0.6.3-2_amd64.changes ACCEPTED
Next by Date: manpages-ko 20050219-2 MIGRATED to testing
Previous by thread: Bug#481970: libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.
Next by thread: Compile prestimel with ImageMagick from experimental
Index(es):
- Date
- Thread