CVE id request: libpam-pgsql

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
it was discovered that a programming error in libpam-pgsql 
(value always being evaluated as true because of a missing 
bracket) enables an attacker to get root access for example 
by pressing ctrl-c after calling sudo.

This change was introduced somewhere between version 0.5.2 
and 0.6.2 (maybe earlier).

This is Debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970

Note: this only leads to direct root access if the 
authentication using this pam module is configured as 
sufficient.

Patch:

Index: pam-pgsql-0.6.3/pam_pgsql.c
===================================================================
--- pam-pgsql-0.6.3.orig/pam_pgsql.c    2008-05-24 19:37:21.000000000 +0200
+++ pam-pgsql-0.6.3/pam_pgsql.c 2008-05-24 19:43:17.000000000 +0200
@@ -583,7 +583,7 @@
                if ((rc = pam_get_user(pamh, &user, NULL)) == PAM_SUCCESS) {
                        if ((rc = get_module_options(argc, argv, &options)) == PAM_SUCCESS) {
                                DBGLOG("attempting to authenticate: %s", user);
-                               if ((rc = pam_get_pass(pamh, PAM_AUTHTOK, &password, PASSWORD_PROMPT, 
options->std_flags) == PAM_SUCCESS)) {
+                               if ((rc = pam_get_pass(pamh, PAM_AUTHTOK, &password, PASSWORD_PROMPT, 
options->std_flags)) == PAM_SUCCESS) {
                                        if ((rc = auth_verify_password(pam_get_service(pamh), user, password, rhost, 
options)) == PAM_SUCCESS) {
                                                if ((password == 0 || *password == 0) && (flags & 
PAM_DISALLOW_NULL_AUTHTOK)) {
                                                        rc = PAM_AUTH_ERR; 

Can I get a CVE id for this one please?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: