oss-sec mailing list archives
Re: pam-pgsql NULL password handling issue
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 16 Jan 2013 08:45:02 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/15/2013 10:49 PM, Kurt Seifried wrote:
On 01/15/2013 12:23 PM, Florian Weimer wrote:Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might allow login with any password the SQL query for the password returns NULL.Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/> Patch: <https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>As usual, I'm not sure if this constitutes a security bug, but we'll probably fix this nevertheless if we get the opportunity.Please use CVE-2013-0188 for this issue. In general I think we take a strict line on password parsing, I can see programs that might create new accounts with a NULL password especially on the theory that the front end/etc forces a password to be entered that isn't NULL.
Argh I made a typo in the CVE assignment for Squid and accidentally typed CVE-2013-0188 for it as well (normally I cut and paste, this is why). Please REJECT CVE-2013-0188. Please use CVE-2013-0191 for the "pam-pgsql NULL password issue" Please use CVE-2013-0189 for the "SQUID incomplete fix for CVE-2012-5643" - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ9sr+AAoJEBYNRVNeJnmTRxMP/jD+63eSrIeEEDdL4LbgyHKG bgwSRaIfwuTuY7xlxRwbjo8YFoTfHBnkb2GvzBbTA5S3/EjF0MJWxnNZj5ypDceB vIxNm91U+vun4fDtJnmM0F29fWew+D4c4PUi+5OqEojVmSIjx9QUQLBjYbyH/ayD UhsOMgFQkhbyIlxtyls+GTZ6y4oVkcOTLeANkqtrsqooEJL1sxHC2sNZvt22rx/H HXo2x+sSWijGdSec/h+RPdoLjeOWhhlRta4545qGPNMNFi6XoRXW5rkglJ9vdBPs QcH36ASr9WIkfdgvtztmFnFO4f1HkvQOfmUvlNd55DT7sIyu8syAZjeeyyi8ko1x IDKirAtgT/65rNqoyVC1oCLGWbYwT3kQo3tnNkqiUpIwWOMXhSBr+UZ2dMdvMCE4 HKur/kEuTCbYg1ijJWAa6wjRhqW8ScJiqjCBbeAGYXWDiXxKrvuLjh811qqnntMw 8JIeSH5n5wn16H4ORSWVtRIl1C/0nX+5tWlRWAkxs1FvK+BeI8WOj1mR+c2uIp30 5hILcZYoMiis8T7TnUtMzsRkeHanzMFnJfaWClI3z+qlU97zOH3EvvlukQZNneHd k7HWmfWD3YlgF9/YdiGdi/4cAXX2PHEeHh9m6FDqo/Wteuvy+x/qAuNripyIn7WB xESARPNBORuTNy2vlADE =yA5C -----END PGP SIGNATURE-----
Current thread:
- pam-pgsql NULL password handling issue Florian Weimer (Jan 15)
- Re: pam-pgsql NULL password handling issue Kurt Seifried (Jan 15)
- Re: pam-pgsql NULL password handling issue Kurt Seifried (Jan 16)
- Re: pam-pgsql NULL password handling issue Kurt Seifried (Jan 15)