Re: Bug#698241: NULL password query result permits login with any password

[Jan Dittberner <jandd@debian.org>]

On Tue, Jan 15, 2013 at 10:09:39PM +0100, Florian Weimer wrote:
> Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might
> allow login with any password the SQL query for the password returns
> NULL.
> 
> Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/>
> Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>
> 
> Please fix this for squeeze and wheezy, using minimal fixes.
> (We will not release a DSA for this.)

This bug also known as CVE-2013-0191 [1] has been fixed in an upload to unstable
today [2]. I already filed an unblock request [3].

[1] https://security-tracker.debian.org/tracker/CVE-2013-0191
[2] http://packages.qa.debian.org/p/pam-pgsql/news/20130119T171737Z.html
[3] http://bugs.debian.org/698517

I have an upload for Squeeze ready and attach the corresponding debdiff to
this mail. You can also browse the changes in the package's squeeze branch [4].

[4] http://anonscm.debian.org/gitweb/?p=collab-maint/pam-pgsql.git;a=shortlog;h=refs/heads/squeeze

Please tell me whether I should upload the fixed package for Squeeze to
stable-proposed-updates.


Best regards
Jan

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
http://ddportfolio.debian.net/ - http://people.debian.org/~jandd/

diff -Nru pam-pgsql-0.7.1/debian/changelog pam-pgsql-0.7.1/debian/changelog
--- pam-pgsql-0.7.1/debian/changelog	2011-02-23 11:24:32.000000000 +0100
+++ pam-pgsql-0.7.1/debian/changelog	2013-01-19 19:48:59.000000000 +0100
@@ -1,3 +1,12 @@
+pam-pgsql (0.7.1-4+squeeze2) stable-proposed-updates; urgency=low
+
+  * Fix "CVE-2013-0191: NULL password query result permits login with
+    any password" by adding patch
+    debian/patches/fix-698241-null-passwort-result-permits-login.patch from
+    upstream bug tracker (Closes: #698241)
+
+ -- Jan Dittberner <jandd@debian.org>  Sat, 19 Jan 2013 19:48:50 +0100
+
 pam-pgsql (0.7.1-4+squeeze1) stable-security; urgency=high
 
   * add debian/patches/ipaddr-crash_603436.patch: fix crash on long
diff -Nru pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch
--- pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch	1970-01-01 01:00:00.000000000 +0100
+++ pam-pgsql-0.7.1/debian/patches/fix-698241-null-passwort-result-permits-login.patch	2013-01-19 19:48:59.000000000 +0100
@@ -0,0 +1,16 @@
+Subject: Fix NULL password query result permits login with any password
+Author: Lucas Clemente Vella
+Origin: upstream, http://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/
+Bug: https://sourceforge.net/p/pam-pgsql/bugs/13/
+Bug-Debian: http://bugs.debian.org/698241
+--- a/src/backend_pgsql.c
++++ b/src/backend_pgsql.c
+@@ -262,7 +262,7 @@
+ 	if(pg_execParam(conn, &res, options->query_auth, service, user, passwd, rhost) == PAM_SUCCESS) {
+ 		if(PQntuples(res) == 0) {
+ 			rc = PAM_USER_UNKNOWN;
+-		} else {
++		} else if (!PQgetisnull(res, 0, 0)) {
+ 			char *stored_pw = PQgetvalue(res, 0, 0);
+ 			if (!strcmp(stored_pw, (tmp = password_encrypt(options, user, passwd, stored_pw)))) rc = PAM_SUCCESS;
+ 			free (tmp);
diff -Nru pam-pgsql-0.7.1/debian/patches/series pam-pgsql-0.7.1/debian/patches/series
--- pam-pgsql-0.7.1/debian/patches/series	2011-02-23 11:24:32.000000000 +0100
+++ pam-pgsql-0.7.1/debian/patches/series	2013-01-19 19:48:59.000000000 +0100
@@ -2,3 +2,4 @@
 md5_64bit_584683.patch
 md5postgres_594721.patch
 ipaddr-crash_603436.patch
+fix-698241-null-passwort-result-permits-login.patch

Attachment: signature.asc
Description: Digital signature