pam-auth-update does not prohibit selecting an empty set of modules

Bug #410171 reported by Steve Langasek on 2009-08-07
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Debian)
Fix Released
Unknown
pam (Ubuntu)
High
Steve Langasek
Intrepid
High
Kees Cook
Jaunty
High
Kees Cook
Karmic
High
Steve Langasek

Bug Description

If:

- You set the debconf priority to medium or lower.
- You are using the readline frontend instead of the default dialog or GNOME frontend.
- You do not have libterm-readline-gnu-perl installed.

then pam-auth-update will by default enable *no* profiles, resulting in an insecure system that lets anyone in as any user, with or without a password.

The fix for this is pending in bzr for Debian unstable and karmic.

ProblemType: Bug
Architecture: amd64
Date: Fri Aug 7 09:05:33 2009
DistroRelease: Ubuntu 9.10
Package: libpam-runtime 1.0.1-9ubuntu3
PackageArchitecture: all
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-5.24-generic
SourcePackage: pam
Uname: Linux 2.6.31-5-generic x86_64

Steve Langasek (vorlon) wrote :
Steve Langasek (vorlon) on 2009-08-07
Changed in pam (Ubuntu Intrepid):
importance: Undecided → High
status: New → Triaged
Changed in pam (Ubuntu Jaunty):
importance: Undecided → High
status: New → Triaged
Changed in pam (Ubuntu Karmic):
assignee: nobody → Steve Langasek (vorlon)
importance: Undecided → High
status: New → Triaged
visibility: private → public
Steve Langasek (vorlon) wrote :

patch for intrepid.

Steve Langasek (vorlon) wrote :

revised patch for intrepid, with correct bug number.

Changed in pam (Debian):
status: Unknown → Fix Committed
Steve Langasek (vorlon) wrote :

patch for jaunty.

Steve Langasek (vorlon) wrote :

Sigh; further revisions to the debdiffs. Do *not* use the earlier versions, which will cause a scary prompt to be shown to all users on upgrade, whether or not it's necessary...

Steve Langasek (vorlon) wrote :
Launchpad Janitor (janitor) wrote :
Download full text (3.2 KiB)

This bug was fixed in the package pam - 1.0.1-10ubuntu1

---------------
pam (1.0.1-10ubuntu1) karmic; urgency=low

  * Merge from Debian, remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf. (should send to Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
      module option 'missingok' which will suppress logging of errors by
      libpam if the module is not found.
    - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
      password on bad username.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/local/common-password, debian/pam-configs/unix: switch from
      "md5" to "sha512" as password crypt default.
    - Make libpam-modules depend on base-files (>= 5.0.0ubuntu6), to ensure
      run-parts does the right thing in /etc/update-motd.d.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent showing
      it again.

pam (1.0.1-10) unstable; urgency=high

  [ Steve Langasek ]
  * Updated debconf translations:
    - Finnish, thanks to Esko Arajärvi <email address hidden> (closes: #520785)
    - Russian, thanks to Yuri Kozlov <email address hidden> (closes: #521874)
    - German, thanks to Sven Joachim <email address hidden> (closes: #521530)
    - Basque, thanks to Piarres Beobide <email address hidden>
      (closes: #524285)
  * When no profiles are chosen in pam-auth-update, throw an error message
    and prompt again instead of letting the user end up with an insecure
    system. This introduces a new debconf template. Closes: #519927,
    LP: #410171.

  [ Kees Cook ]
  * Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes
    for MINDAYS-Field regression (closes: #514437).
  * debian/control: add missing misc:Depends for packages that need it.

  [ Sam Hartman ]
  * Remove conflicts information for transitions prior to woody release
  * Fix lintian overrides for libpam-runtime
  * Overrides for lintian finding quilt patches
  * pam_mail-fix-quiet: patch from Andreas Henriksson
    applied upstream to fix quiet option of pam_mail, Closes: #439268

  [ Dustin Kirkland ]
  * debian/patches/update-motd: run the update-motd scripts in pam_motd;
    render update-motd obsolete, LP: #399071

  [ Sam Hartman ]
  * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
    (CVE-2009-0887) (Closes: #520115)

 -- Steve Langasek <steve.la...

Read more...

Changed in pam (Ubuntu Karmic):
status: Triaged → Fix Released
Kees Cook (kees) on 2009-09-03
Changed in pam (Ubuntu Intrepid):
assignee: nobody → Kees Cook (kees)
status: Triaged → In Progress
Changed in pam (Ubuntu Jaunty):
assignee: nobody → Kees Cook (kees)
status: Triaged → In Progress
Kees Cook (kees) on 2009-09-04
Changed in pam (Ubuntu Jaunty):
status: In Progress → Fix Committed
Changed in pam (Ubuntu Intrepid):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.0.1-9ubuntu1.1

---------------
pam (1.0.1-9ubuntu1.1) jaunty-security; urgency=low

  * When no profiles are chosen in pam-auth-update, throw an error message
    and prompt again instead of letting the user end up with an insecure
    system. This introduces a new debconf template. LP: #410171.

 -- Steve Langasek <email address hidden> Fri, 07 Aug 2009 09:32:50 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.0.1-4ubuntu5.6

---------------
pam (1.0.1-4ubuntu5.6) intrepid-security; urgency=low

  * When no profiles are chosen in pam-auth-update, throw an error message
    and prompt again instead of letting the user end up with an insecure
    system. This introduces a new debconf template. LP: #410171.

 -- Steve Langasek <email address hidden> Fri, 07 Aug 2009 09:24:13 +0100

Changed in pam (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Changed in pam (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Abe (ahsmartchoice) on 2009-09-09
Changed in pam (Debian):
status: Fix Committed → Confirmed
Steve Langasek (vorlon) on 2009-09-09
Changed in pam (Debian):
status: Confirmed → Fix Released
Kees Cook (kees) wrote :

CVE-2009-3232

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.