Bug#698517: unblock: pam-pgsql/0.7.3.1-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#698517: unblock: pam-pgsql/0.7.3.1-4
From: Jan Dittberner <jandd@debian.org>
Date: Sat, 19 Jan 2013 19:07:51 +0100
Message-id: <20130119180751.GA22711@dittberner.info>
Reply-to: Jan Dittberner <jandd@debian.org>, 698517@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package pam-pgsql

The version I just uploaded to unstable contains a fix for CVE-2013-0191
[1], [2].

[1] https://security-tracker.debian.org/tracker/CVE-2013-0191
[2] http://bugs.debian.org/698241

A debdiff to the version currently in testing is attached.


Best regards
Jan

unblock pam-pgsql/0.7.3.1-4

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/

diff -Nru pam-pgsql-0.7.3.1/debian/changelog pam-pgsql-0.7.3.1/debian/changelog
--- pam-pgsql-0.7.3.1/debian/changelog	2012-04-06 21:04:49.000000000 +0200
+++ pam-pgsql-0.7.3.1/debian/changelog	2013-01-19 18:10:16.000000000 +0100
@@ -1,3 +1,12 @@
+pam-pgsql (0.7.3.1-4) unstable; urgency=low
+
+  * Fix "CVE-2013-0191: NULL password query result permits login with
+    any password" by adding patch
+    debian/patches/fix-698241-null-passwort-result-permits-login.patch from
+    upstream bug tracker (Closes: #698241)
+
+ -- Jan Dittberner <jandd@debian.org>  Sat, 19 Jan 2013 18:10:09 +0100
+
 pam-pgsql (0.7.3.1-3) unstable; urgency=low
 
   * apply hardened build flags (Closes: #656003), thanks for the patch
diff -Nru pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch
--- pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch	1970-01-01 01:00:00.000000000 +0100
+++ pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch	2013-01-19 18:10:16.000000000 +0100
@@ -0,0 +1,16 @@
+Subject: Fix NULL password query result permits login with any password
+Author: Lucas Clemente Vella
+Origin: upstream, http://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/
+Bug: https://sourceforge.net/p/pam-pgsql/bugs/13/
+Bug-Debian: http://bugs.debian.org/698241
+--- a/src/backend_pgsql.c
++++ b/src/backend_pgsql.c
+@@ -258,7 +258,7 @@
+ 	if(pg_execParam(conn, &res, options->query_auth, service, user, passwd, rhost) == PAM_SUCCESS) {
+ 		if(PQntuples(res) == 0) {
+ 			rc = PAM_USER_UNKNOWN;
+-		} else {
++		} else if (!PQgetisnull(res, 0, 0)) {
+ 			char *stored_pw = PQgetvalue(res, 0, 0);
+ 			if (!strcmp(stored_pw, (tmp = password_encrypt(options, user, passwd, stored_pw)))) rc = PAM_SUCCESS;
+ 			free (tmp);
diff -Nru pam-pgsql-0.7.3.1/debian/patches/series pam-pgsql-0.7.3.1/debian/patches/series
--- pam-pgsql-0.7.3.1/debian/patches/series	2012-04-06 21:04:49.000000000 +0200
+++ pam-pgsql-0.7.3.1/debian/patches/series	2013-01-19 18:10:16.000000000 +0100
@@ -1 +1,2 @@
 ftbfs_441679.patch
+fix-698241-null-passwort-result-permits-login.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#698517: marked as done (unblock: pam-pgsql/0.7.3.1-4)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: Re: linux-2.6 update for stable?
Previous by thread: Bug#698516: marked as done (unblock: graphite-carbon/0.9.10-3)
Next by thread: Bug#698517: marked as done (unblock: pam-pgsql/0.7.3.1-4)
Index(es):
- Date
- Thread