[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090908223116.GF7304@outflux.net>
Date: Tue, 8 Sep 2009 15:31:16 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-828-1] PAM vulnerability
===========================================================
Ubuntu Security Notice USN-828-1 September 08, 2009
pam vulnerability
https://launchpad.net/bugs/410171
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
libpam-runtime 1.0.1-4ubuntu5.6
Ubuntu 9.04:
libpam-runtime 1.0.1-9ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Russell Senior discovered that the system authentication module
selection mechanism for PAM did not safely handle an empty selection.
If an administrator had specifically removed the default list of modules
or failed to chose a module when operating debconf in a very unlikely
non-default configuration, PAM would allow any authentication attempt,
which could lead to remote attackers gaining access to a system with
arbitrary privileges. This did not affect default Ubuntu installations.
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-4ubuntu5.6.diff.gz
Size/MD5: 163787 1fe83c5f51260520402bd43e33267d4f
http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-4ubuntu5.6.dsc
Size/MD5: 1632 5962a19a022e6eb7af577b88719a64c4
http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1.orig.tar.gz
Size/MD5: 1597124 bcaa5d9bf84137e0d128b2ff9b63b1d7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-doc_1.0.1-4ubuntu5.6_all.deb
Size/MD5: 292106 89104df9cea238eb924fa7fbb0f80d35
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-runtime_1.0.1-4ubuntu5.6_all.deb
Size/MD5: 89482 94993aae326381ddcd4279ed9c61e357
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_amd64.deb
Size/MD5: 71576 f46ffb12fc109a58b2ebe9d36fd1173e
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_amd64.deb
Size/MD5: 312240 ccade228ed92c9f524b088617b42ce64
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_amd64.deb
Size/MD5: 169324 8fce97f395a60b4ad7f821827458e7ab
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_amd64.deb
Size/MD5: 113888 5b6fd51cbc3f936e6e11fdb1a9131a52
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_i386.deb
Size/MD5: 71552 360601c0c24308561fe7d50a9b9bc5e7
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_i386.deb
Size/MD5: 299738 020d7196d87df2cdf17c739f9e6bf0f5
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_i386.deb
Size/MD5: 167018 69ed60f901436960e21e0b604ae4b19b
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_i386.deb
Size/MD5: 111132 4afeb993ed5910e108c3fc4f9ba645b5
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_lpia.deb
Size/MD5: 71470 112033e2f1f641fec967e28f3503f88e
http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_lpia.deb
Size/MD5: 295984 c8303ffbb776fdce4e20c999150f3549
http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_lpia.deb
Size/MD5: 165548 a8502044f6c5fac5900559d0e85fc62f
http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_lpia.deb
Size/MD5: 110474 86c7473158e190237969445a51c49d30
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_powerpc.deb
Size/MD5: 72010 da7ce309e25fade724ff291120d1866d
http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_powerpc.deb
Size/MD5: 329746 19febf8a9d5e3a62c0957dff09dfc8c8
http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_powerpc.deb
Size/MD5: 167526 40420891673085c3889ebba39b1a92b7
http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_powerpc.deb
Size/MD5: 114658 06a1523fa01a77ec8eb2f8eec8e7b4bf
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_sparc.deb
Size/MD5: 71854 3762836827676a721f744c06067a9ed5
http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_sparc.deb
Size/MD5: 307930 5afecfdbe6783dead53c8163987c053e
http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_sparc.deb
Size/MD5: 165724 953d7c06d9e969205590547908a218ff
http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_sparc.deb
Size/MD5: 110084 e59026f8d7ef007226c5c7f655c96715
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-9ubuntu1.1.diff.gz
Size/MD5: 175094 bd19264e4bc268b93ea8051891d60358
http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-9ubuntu1.1.dsc
Size/MD5: 1647 d8f0a97594fc195887fba7571c4c3a8a
http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1.orig.tar.gz
Size/MD5: 1597124 bcaa5d9bf84137e0d128b2ff9b63b1d7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-doc_1.0.1-9ubuntu1.1_all.deb
Size/MD5: 294386 a1dc4b7037ad23c3d89d319f0187248c
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-runtime_1.0.1-9ubuntu1.1_all.deb
Size/MD5: 96516 144e443069b69c0aaf79ad5b2301a7c1
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_amd64.deb
Size/MD5: 73552 ff6f45229dd25e013d2c0acdd7e5898c
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_amd64.deb
Size/MD5: 320028 410602c6accef6cb82e83ad3c32c12ac
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_amd64.deb
Size/MD5: 171200 56ee87d117327fbb902291405e674350
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_amd64.deb
Size/MD5: 114486 b6a59775958df6ac10d354e6ce7575b8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_i386.deb
Size/MD5: 73552 cbb43b547a0886ec4f20ab21c9338b7d
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_i386.deb
Size/MD5: 307566 361a58936b65d3519b6acf39a9177deb
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_i386.deb
Size/MD5: 169118 f6f289d28cfaaccb5aceea1ac5f22ecd
http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_i386.deb
Size/MD5: 111680 e2b4440a2f798d37c487634a12d0df7e
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_lpia.deb
Size/MD5: 73474 18c142eaf4a374233d8e72fd28d17966
http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_lpia.deb
Size/MD5: 303786 65710e21f376738f71985c3d18c6f030
http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_lpia.deb
Size/MD5: 167568 9dda4d3f0d81aa5f198631b713018141
http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_lpia.deb
Size/MD5: 111010 8e401f2b53829b58b72c2a7571bee535
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_powerpc.deb
Size/MD5: 73996 887c6fe91ae2b61e77cb50b0471e8a1a
http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_powerpc.deb
Size/MD5: 337472 76b8f2ddbc5453ff94534c6a296878e7
http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_powerpc.deb
Size/MD5: 169496 595a4bee24df62351470ad78c05f7e1c
http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_powerpc.deb
Size/MD5: 115212 1d1fe4a8ac390715a77f01bd848ac675
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_sparc.deb
Size/MD5: 73822 d2ed085a627031b586e766d0f296d88a
http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_sparc.deb
Size/MD5: 315450 67ca1f028084a8c7ab2ba53c6d3a0bdd
http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_sparc.deb
Size/MD5: 167712 41e1424818de65bf70198dac7509fc99
http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_sparc.deb
Size/MD5: 110544 d1588a9af160a56abc0a8d4f3320c97b
Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists