Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package pam-pgsql The version I just uploaded to unstable contains a fix for CVE-2013-0191 [1], [2]. [1] https://security-tracker.debian.org/tracker/CVE-2013-0191 [2] http://bugs.debian.org/698241 A debdiff to the version currently in testing is attached. Best regards Jan unblock pam-pgsql/0.7.3.1-4 -- Jan Dittberner - Debian Developer GPG-key: 4096R/558FB8DD 2009-05-10 B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/
diff -Nru pam-pgsql-0.7.3.1/debian/changelog pam-pgsql-0.7.3.1/debian/changelog --- pam-pgsql-0.7.3.1/debian/changelog 2012-04-06 21:04:49.000000000 +0200 +++ pam-pgsql-0.7.3.1/debian/changelog 2013-01-19 18:10:16.000000000 +0100 @@ -1,3 +1,12 @@ +pam-pgsql (0.7.3.1-4) unstable; urgency=low + + * Fix "CVE-2013-0191: NULL password query result permits login with + any password" by adding patch + debian/patches/fix-698241-null-passwort-result-permits-login.patch from + upstream bug tracker (Closes: #698241) + + -- Jan Dittberner <jandd@debian.org> Sat, 19 Jan 2013 18:10:09 +0100 + pam-pgsql (0.7.3.1-3) unstable; urgency=low * apply hardened build flags (Closes: #656003), thanks for the patch diff -Nru pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch --- pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch 1970-01-01 01:00:00.000000000 +0100 +++ pam-pgsql-0.7.3.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch 2013-01-19 18:10:16.000000000 +0100 @@ -0,0 +1,16 @@ +Subject: Fix NULL password query result permits login with any password +Author: Lucas Clemente Vella +Origin: upstream, http://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/ +Bug: https://sourceforge.net/p/pam-pgsql/bugs/13/ +Bug-Debian: http://bugs.debian.org/698241 +--- a/src/backend_pgsql.c ++++ b/src/backend_pgsql.c +@@ -258,7 +258,7 @@ + if(pg_execParam(conn, &res, options->query_auth, service, user, passwd, rhost) == PAM_SUCCESS) { + if(PQntuples(res) == 0) { + rc = PAM_USER_UNKNOWN; +- } else { ++ } else if (!PQgetisnull(res, 0, 0)) { + char *stored_pw = PQgetvalue(res, 0, 0); + if (!strcmp(stored_pw, (tmp = password_encrypt(options, user, passwd, stored_pw)))) rc = PAM_SUCCESS; + free (tmp); diff -Nru pam-pgsql-0.7.3.1/debian/patches/series pam-pgsql-0.7.3.1/debian/patches/series --- pam-pgsql-0.7.3.1/debian/patches/series 2012-04-06 21:04:49.000000000 +0200 +++ pam-pgsql-0.7.3.1/debian/patches/series 2013-01-19 18:10:16.000000000 +0100 @@ -1 +1,2 @@ ftbfs_441679.patch +fix-698241-null-passwort-result-permits-login.patch
Attachment:
signature.asc
Description: Digital signature