oss-sec mailing list archives
Re: pam-pgsql NULL password handling issue
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 15 Jan 2013 22:49:36 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/15/2013 12:23 PM, Florian Weimer wrote:
Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might allow login with any password the SQL query for the password returns NULL. Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/> Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/> As usual, I'm not sure if this constitutes a security bug, but we'll probably fix this nevertheless if we get the opportunity.
Please use CVE-2013-0188 for this issue. In general I think we take a strict line on password parsing, I can see programs that might create new accounts with a NULL password especially on the theory that the front end/etc forces a password to be entered that isn't NULL. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ9j9wAAoJEBYNRVNeJnmTQ1AQALg3GP21h2ssD66QazUvut0M xgbxzTqrKEq5ARR9OBQt0tJ5dXiHVl6Y0poYj1s0DasE6iN5NMl96oVCV7HebZGH c7wu6VddTl4ZpftZ6m77/jd3F6NP4n0s1AIL0gQqMdvIRB6+MlLTguzEFQ0F6T0q MFOVW4BNWy8wJoyQhxTv06gFrgd98oi+h/XoPTebx8allUXhW0vdPsnUPu4B+x6C uKd+e2DLiKxmdW4nFSl7Sr20J+M7eDMLYbCxn9rlMHghb0P4kPym9pSvdxFYGGls BwlDMPJ5uNhQtM7nBjuZUW+2jinyeV+3h78xv2eIO6gUIQTshXcBtWxnHPRZLwrF J9w/yU2sqjpp9NQXWh9Sbx8KzxdqJd/dN0ckXJGJiW5GSZnSyKxO7eyQg4T2/1FZ 5RUFOVxo3ys2qmp3HmrWu8WrKL0RXIbDyEtid8my0OXwA6KUKS/9Jdsh/szgtAvl U3nho0Y0WKvsvlalarDocyDrPfkyspTHZV23/MHaSdGMaCsMyz7A4jPsPEBzcRZE ndrqRyOJiYKYVNuMW01d8UU6KZ+6mwgP00xyvMrFnrRO7+1B+MI/751TAtsfIcHa Y9f/2HaACOD6l2ftFr5FAeRQRKtJx84HDIvWwbXHhZ+jeG5wIfqcxvRkEkqNX0H5 E3eaFLlPg09J6X6j+Pnr =ENHN -----END PGP SIGNATURE-----
Current thread:
- pam-pgsql NULL password handling issue Florian Weimer (Jan 15)
- Re: pam-pgsql NULL password handling issue Kurt Seifried (Jan 15)
- Re: pam-pgsql NULL password handling issue Kurt Seifried (Jan 16)
- Re: pam-pgsql NULL password handling issue Kurt Seifried (Jan 15)