[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Tue, 8 Sep 2009 16:09:59 -0700
From: Kees Cook <kees@...ntu.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: CVE request - Debian/Ubuntu PAM auth module selection
Hi,
I'd like to request a CVE for an issue that came up in the Debian and
Ubuntu configuration tools used on PAM. From the USN
http://www.ubuntu.com/usn/usn-828-1:
Russell Senior discovered that the system authentication module selection
mechanism for PAM did not safely handle an empty selection. If an
administrator had specifically removed the default list of modules or
failed to chose a module when operating debconf in a very unlikely
non-default configuration, PAM would allow any authentication attempt,
which could lead to remote attackers gaining access to a system with
arbitrary privileges. This did not affect default Ubuntu installations.
Also tracked as:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
https://bugs.launchpad.net/bugs/410171
This was a Debian and Ubuntu specific issue, and only Ubuntu had supported
releases with this flaw present (the issue never made it to Debian
stable).
Thanks,
-Kees
--
Kees Cook
Ubuntu Security Team
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ