oss-sec mailing list archives
CVE request - Debian/Ubuntu PAM auth module selection
From: Kees Cook <kees () ubuntu com>
Date: Tue, 8 Sep 2009 16:09:59 -0700
Hi, I'd like to request a CVE for an issue that came up in the Debian and Ubuntu configuration tools used on PAM. From the USN http://www.ubuntu.com/usn/usn-828-1: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations. Also tracked as: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927 https://bugs.launchpad.net/bugs/410171 This was a Debian and Ubuntu specific issue, and only Ubuntu had supported releases with this flaw present (the issue never made it to Debian stable). Thanks, -Kees -- Kees Cook Ubuntu Security Team
Current thread:
- CVE request - Debian/Ubuntu PAM auth module selection Kees Cook (Sep 08)
- Re: CVE request - Debian/Ubuntu PAM auth module selection Steven M. Christey (Sep 16)