Re: pam-pgsql NULL password handling issue

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/15/2013 12:23 PM, Florian Weimer wrote:
> Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql)
> might allow login with any password the SQL query for the password
> returns NULL.
>
> Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/> Patch:
> <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>
>
>  As usual, I'm not sure if this constitutes a security bug, but
> we'll probably fix this nevertheless if we get the opportunity.

Please use CVE-2013-0188 for this issue.

In general I think we take a strict line on password parsing, I can
see programs that might create new accounts with a NULL password
especially on the theory that the front end/etc forces a password to
be entered that isn't NULL.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ9j9wAAoJEBYNRVNeJnmTQ1AQALg3GP21h2ssD66QazUvut0M
xgbxzTqrKEq5ARR9OBQt0tJ5dXiHVl6Y0poYj1s0DasE6iN5NMl96oVCV7HebZGH
c7wu6VddTl4ZpftZ6m77/jd3F6NP4n0s1AIL0gQqMdvIRB6+MlLTguzEFQ0F6T0q
MFOVW4BNWy8wJoyQhxTv06gFrgd98oi+h/XoPTebx8allUXhW0vdPsnUPu4B+x6C
uKd+e2DLiKxmdW4nFSl7Sr20J+M7eDMLYbCxn9rlMHghb0P4kPym9pSvdxFYGGls
BwlDMPJ5uNhQtM7nBjuZUW+2jinyeV+3h78xv2eIO6gUIQTshXcBtWxnHPRZLwrF
J9w/yU2sqjpp9NQXWh9Sbx8KzxdqJd/dN0ckXJGJiW5GSZnSyKxO7eyQg4T2/1FZ
5RUFOVxo3ys2qmp3HmrWu8WrKL0RXIbDyEtid8my0OXwA6KUKS/9Jdsh/szgtAvl
U3nho0Y0WKvsvlalarDocyDrPfkyspTHZV23/MHaSdGMaCsMyz7A4jPsPEBzcRZE
ndrqRyOJiYKYVNuMW01d8UU6KZ+6mwgP00xyvMrFnrRO7+1B+MI/751TAtsfIcHa
Y9f/2HaACOD6l2ftFr5FAeRQRKtJx84HDIvWwbXHhZ+jeG5wIfqcxvRkEkqNX0H5
E3eaFLlPg09J6X6j+Pnr
=ENHN
-----END PGP SIGNATURE-----