On Tue, Jan 15, 2013 at 10:09:39PM +0100, Florian Weimer wrote: > Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might > allow login with any password the SQL query for the password returns > NULL. > > Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/> > Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/> > > Please fix this for squeeze and wheezy, using minimal fixes. > (We will not release a DSA for this.) This bug also known as CVE-2013-0191 [1] has been fixed in an upload to unstable today [2]. I already filed an unblock request [3]. [1] https://security-tracker.debian.org/tracker/CVE-2013-0191 [2] http://packages.qa.debian.org/p/pam-pgsql/news/20130119T171737Z.html [3] http://bugs.debian.org/698517 I have an upload for Squeeze ready and attach the corresponding debdiff to this mail. You can also browse the changes in the package's squeeze branch [4]. [4] http://anonscm.debian.org/gitweb/?p=collab-maint/pam-pgsql.git;a=shortlog;h=refs/heads/squeeze Please tell me whether I should upload the fixed package for Squeeze to stable-proposed-updates. Best regards Jan -- Jan Dittberner - Debian Developer GPG-key: 4096R/558FB8DD 2009-05-10 B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/
diff -Nru pam-pgsql-0.7.1/debian/changelog pam-pgsql-0.7.1/debian/changelog --- pam-pgsql-0.7.1/debian/changelog 2011-02-23 11:24:32.000000000 +0100 +++ pam-pgsql-0.7.1/debian/changelog 2013-01-19 19:48:59.000000000 +0100 @@ -1,3 +1,12 @@ +pam-pgsql (0.7.1-4+squeeze2) stable-proposed-updates; urgency=low + + * Fix "CVE-2013-0191: NULL password query result permits login with + any password" by adding patch + debian/patches/fix-698241-null-passwort-result-permits-login.patch from + upstream bug tracker (Closes: #698241) + + -- Jan Dittberner <jandd@debian.org> Sat, 19 Jan 2013 19:48:50 +0100 + pam-pgsql (0.7.1-4+squeeze1) stable-security; urgency=high * add debian/patches/ipaddr-crash_603436.patch: fix crash on long diff -Nru pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch --- pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch 1970-01-01 01:00:00.000000000 +0100 +++ pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch 2013-01-19 19:48:59.000000000 +0100 @@ -0,0 +1,16 @@ +Subject: Fix NULL password query result permits login with any password +Author: Lucas Clemente Vella +Origin: upstream, http://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/ +Bug: https://sourceforge.net/p/pam-pgsql/bugs/13/ +Bug-Debian: http://bugs.debian.org/698241 +--- a/src/backend_pgsql.c ++++ b/src/backend_pgsql.c +@@ -262,7 +262,7 @@ + if(pg_execParam(conn, &res, options->query_auth, service, user, passwd, rhost) == PAM_SUCCESS) { + if(PQntuples(res) == 0) { + rc = PAM_USER_UNKNOWN; +- } else { ++ } else if (!PQgetisnull(res, 0, 0)) { + char *stored_pw = PQgetvalue(res, 0, 0); + if (!strcmp(stored_pw, (tmp = password_encrypt(options, user, passwd, stored_pw)))) rc = PAM_SUCCESS; + free (tmp); diff -Nru pam-pgsql-0.7.1/debian/patches/series pam-pgsql-0.7.1/debian/patches/series --- pam-pgsql-0.7.1/debian/patches/series 2011-02-23 11:24:32.000000000 +0100 +++ pam-pgsql-0.7.1/debian/patches/series 2013-01-19 19:48:59.000000000 +0100 @@ -2,3 +2,4 @@ md5_64bit_584683.patch md5postgres_594721.patch ipaddr-crash_603436.patch +fix-698241-null-passwort-result-permits-login.patch
Attachment:
signature.asc
Description: Digital signature