Debian
pam-pgsql package

<Ctrl+C> might allow to bypass authentication

Bug #242690 reported by Thierry Carrez
258
Affects Status Importance Assigned to Milestone
pam-pgsql (Debian)
Fix Released
Unknown
pam-pgsql (Ubuntu)
Fix Released
High
Unassigned
Gutsy
Fix Released
High
Unassigned
Hardy
Fix Released
High
Unassigned
Intrepid
Fix Released
High
Unassigned

Bug Description

CVE-2008-2516
pam_sm_authenticate in pam_pgsql.c in libpam-pgsql 0.6.3 does not properly consider operator precedence when evaluating the success of a pam_get_pass function call, which allows local users to gain privileges via a SIGINT signal when this function is executing, as demonstrated by a CTRL-C sequence at a sudo password prompt in an "auth sufficient pam_pgsql.so" configuration.

Affected : gutsy, hardy, intrepid
Fixed in Debian 0.6.3-2, I'm working on a fakesync (our orig.tar.gz is borken)

Revision history for this message
Thierry Carrez (ttx) wrote :

The minimal fix, for the record (and learning).

Revision history for this message
Thierry Carrez (ttx) wrote :

Debdiff for the fake sync to 0.6.3-2 to intrepid

Bug Watch Updater (bug-watch-updater)
Changed in pam-pgsql:
status: Unknown → Fix Released
Revision history for this message
William Grant (wgrant) wrote :

Are you able to prepare and test fixes for Gutsy and Hardy as well? Simply applying that parentheses-addition patch should do, but I've nowhere to test this.

Changed in pam-pgsql:
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
importance: Undecided → High
status: New → Triaged
Revision history for this message
Thierry Carrez (ttx) wrote :

Here is the debdiff for hardy.
I had to apply an extra patch because the current version in hardy FTBFS.
I have tested that it closes the hole, but I've not tested that there are no regressions in usual features.

Revision history for this message
Thierry Carrez (ttx) wrote :

New debdiff for hardy, with proper version number.
Furthermore I've tested on a basic setup that there was no obvious regression.

I'm working on the gutsy one.

Revision history for this message
Thierry Carrez (ttx) wrote :

Debdiff for gutsy.
The package also FTBFS in pbuilder so I applied the same patch.

Revision history for this message
Thierry Carrez (ttx) wrote :

Subscribing ubuntu-universe-sponsors to help getting the fake-sync in comment 2 into Intrepid first.

Jamie Strandboge (jdstrand)
Changed in pam-pgsql:
status: Triaged → Fix Committed
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand)
Changed in pam-pgsql:
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-pgsql - 0.6.3-0ubuntu1.8.04.1

---------------
pam-pgsql (0.6.3-0ubuntu1.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: local users may bypass authentication and gain
    privileges by sending <CTRL-C> at the password prompt.
  * pam_pgsql.c: applied Debian patch to fix operator precedence
    (Fixes LP: #242690)
  * pam_get_service.c: applied Debian patch from 0.6.3-2 to fix FTBFS
  * References
    CVE-2008-2516
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=441679

 -- Thierry Carrez <email address hidden> Wed, 25 Jun 2008 21:04:24 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam-pgsql - 0.6.3-0ubuntu1.7.10.1

---------------
pam-pgsql (0.6.3-0ubuntu1.7.10.1) gutsy-security; urgency=low

  * SECURITY UPDATE: local users may bypass authentication and gain
    privileges by sending <CTRL-C> at the password prompt.
  * pam_pgsql.c: applied Debian patch to fix operator precedence
    (Fixes LP: #242690)
  * pam_get_service.c: applied Debian patch from 0.6.3-2 to fix FTBFS
  * References
    CVE-2008-2516
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=441679

 -- Thierry Carrez <email address hidden> Wed, 25 Jun 2008 19:26:46 +0000

Changed in pam-pgsql:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in pam-pgsql:
status: Fix Committed → Fix Released
Revision history for this message
reidmefirst (reid-launchpad) wrote :

Naive question about a bug that was closed a year ago...

Can a user do a similar thing with pam_pgsql when changing her password? For example the operator precedence in pam_sm_chauthtok() line 696 is:

if ((rc = pam_get_pass(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT, options->std_flags)) == PAM_SUCCESS) {

which is identical to the buggy operator precedence being performed in the old version of pam_sm_authenticate(). Is it possible for a malicious user to change a victim's password in this way if pam_pgsql is used and the victim walked away without locking their screen?

Reid

Revision history for this message
Thierry Carrez (ttx) wrote :

The operator precedence you quote from line 696 looks like the fixed one, not the buggy one ?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.