diff -u pam-pgsql-0.6.3/debian/changelog pam-pgsql-0.6.3/debian/changelog --- pam-pgsql-0.6.3/debian/changelog +++ pam-pgsql-0.6.3/debian/changelog @@ -1,3 +1,16 @@ +pam-pgsql (0.6.3-0ubuntu1.8.04.1) hardy-security; urgency=low + + * SECURITY UPDATE: local users may bypass authentication and gain + privileges by sending at the password prompt. + * pam_pgsql.c: applied Debian patch to fix operator precedence + (Fixes LP: #242690) + * pam_get_service.c: applied Debian patch from 0.6.3-2 to fix FTBFS + * References + CVE-2008-2516 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970 + + -- Thierry Carrez Wed, 25 Jun 2008 21:04:24 +0200 + pam-pgsql (0.6.3-0ubuntu1) gutsy; urgency=low * New Upstream release only in patch2: unchanged: --- pam-pgsql-0.6.3.orig/pam_get_service.c +++ pam-pgsql-0.6.3/pam_get_service.c @@ -3,6 +3,7 @@ */ /* $Id: pam_get_service.c,v 1.2 2000/06/25 10:01:41 ljb Exp $ */ +#include #include const char *pam_get_service(pam_handle_t *pamh) only in patch2: unchanged: --- pam-pgsql-0.6.3.orig/pam_pgsql.c +++ pam-pgsql-0.6.3/pam_pgsql.c @@ -583,7 +583,7 @@ if ((rc = pam_get_user(pamh, &user, NULL)) == PAM_SUCCESS) { if ((rc = get_module_options(argc, argv, &options)) == PAM_SUCCESS) { DBGLOG("attempting to authenticate: %s", user); - if ((rc = pam_get_pass(pamh, PAM_AUTHTOK, &password, PASSWORD_PROMPT, options->std_flags) == PAM_SUCCESS)) { + if ((rc = pam_get_pass(pamh, PAM_AUTHTOK, &password, PASSWORD_PROMPT, options->std_flags)) == PAM_SUCCESS) { if ((rc = auth_verify_password(pam_get_service(pamh), user, password, rhost, options)) == PAM_SUCCESS) { if ((password == 0 || *password == 0) && (flags & PAM_DISALLOW_NULL_AUTHTOK)) { rc = PAM_AUTH_ERR;