Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 8 Sep 2009 16:09:59 -0700
From: Kees Cook <kees@...ntu.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: CVE request - Debian/Ubuntu PAM auth module selection

Hi,

I'd like to request a CVE for an issue that came up in the Debian and
Ubuntu configuration tools used on PAM.  From the USN
http://www.ubuntu.com/usn/usn-828-1:

 Russell Senior discovered that the system authentication module selection
 mechanism for PAM did not safely handle an empty selection. If an
 administrator had specifically removed the default list of modules or
 failed to chose a module when operating debconf in a very unlikely
 non-default configuration, PAM would allow any authentication attempt,
 which could lead to remote attackers gaining access to a system with
 arbitrary privileges. This did not affect default Ubuntu installations.

Also tracked as:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
https://bugs.launchpad.net/bugs/410171

This was a Debian and Ubuntu specific issue, and only Ubuntu had supported
releases with this flaw present (the issue never made it to Debian
stable).

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.