lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090908223116.GF7304@outflux.net>
Date: Tue, 8 Sep 2009 15:31:16 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-828-1] PAM vulnerability

===========================================================
Ubuntu Security Notice USN-828-1         September 08, 2009
pam vulnerability
https://launchpad.net/bugs/410171
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  libpam-runtime                  1.0.1-4ubuntu5.6

Ubuntu 9.04:
  libpam-runtime                  1.0.1-9ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Russell Senior discovered that the system authentication module
selection mechanism for PAM did not safely handle an empty selection.
If an administrator had specifically removed the default list of modules
or failed to chose a module when operating debconf in a very unlikely
non-default configuration, PAM would allow any authentication attempt,
which could lead to remote attackers gaining access to a system with
arbitrary privileges.  This did not affect default Ubuntu installations.


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-4ubuntu5.6.diff.gz
      Size/MD5:   163787 1fe83c5f51260520402bd43e33267d4f
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-4ubuntu5.6.dsc
      Size/MD5:     1632 5962a19a022e6eb7af577b88719a64c4
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1.orig.tar.gz
      Size/MD5:  1597124 bcaa5d9bf84137e0d128b2ff9b63b1d7

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-doc_1.0.1-4ubuntu5.6_all.deb
      Size/MD5:   292106 89104df9cea238eb924fa7fbb0f80d35
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-runtime_1.0.1-4ubuntu5.6_all.deb
      Size/MD5:    89482 94993aae326381ddcd4279ed9c61e357

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_amd64.deb
      Size/MD5:    71576 f46ffb12fc109a58b2ebe9d36fd1173e
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_amd64.deb
      Size/MD5:   312240 ccade228ed92c9f524b088617b42ce64
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_amd64.deb
      Size/MD5:   169324 8fce97f395a60b4ad7f821827458e7ab
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_amd64.deb
      Size/MD5:   113888 5b6fd51cbc3f936e6e11fdb1a9131a52

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_i386.deb
      Size/MD5:    71552 360601c0c24308561fe7d50a9b9bc5e7
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_i386.deb
      Size/MD5:   299738 020d7196d87df2cdf17c739f9e6bf0f5
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_i386.deb
      Size/MD5:   167018 69ed60f901436960e21e0b604ae4b19b
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_i386.deb
      Size/MD5:   111132 4afeb993ed5910e108c3fc4f9ba645b5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_lpia.deb
      Size/MD5:    71470 112033e2f1f641fec967e28f3503f88e
    http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_lpia.deb
      Size/MD5:   295984 c8303ffbb776fdce4e20c999150f3549
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_lpia.deb
      Size/MD5:   165548 a8502044f6c5fac5900559d0e85fc62f
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_lpia.deb
      Size/MD5:   110474 86c7473158e190237969445a51c49d30

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_powerpc.deb
      Size/MD5:    72010 da7ce309e25fade724ff291120d1866d
    http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_powerpc.deb
      Size/MD5:   329746 19febf8a9d5e3a62c0957dff09dfc8c8
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_powerpc.deb
      Size/MD5:   167526 40420891673085c3889ebba39b1a92b7
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_powerpc.deb
      Size/MD5:   114658 06a1523fa01a77ec8eb2f8eec8e7b4bf

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-4ubuntu5.6_sparc.deb
      Size/MD5:    71854 3762836827676a721f744c06067a9ed5
    http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-4ubuntu5.6_sparc.deb
      Size/MD5:   307930 5afecfdbe6783dead53c8163987c053e
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-4ubuntu5.6_sparc.deb
      Size/MD5:   165724 953d7c06d9e969205590547908a218ff
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-4ubuntu5.6_sparc.deb
      Size/MD5:   110084 e59026f8d7ef007226c5c7f655c96715

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-9ubuntu1.1.diff.gz
      Size/MD5:   175094 bd19264e4bc268b93ea8051891d60358
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1-9ubuntu1.1.dsc
      Size/MD5:     1647 d8f0a97594fc195887fba7571c4c3a8a
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/pam_1.0.1.orig.tar.gz
      Size/MD5:  1597124 bcaa5d9bf84137e0d128b2ff9b63b1d7

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-doc_1.0.1-9ubuntu1.1_all.deb
      Size/MD5:   294386 a1dc4b7037ad23c3d89d319f0187248c
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-runtime_1.0.1-9ubuntu1.1_all.deb
      Size/MD5:    96516 144e443069b69c0aaf79ad5b2301a7c1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_amd64.deb
      Size/MD5:    73552 ff6f45229dd25e013d2c0acdd7e5898c
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_amd64.deb
      Size/MD5:   320028 410602c6accef6cb82e83ad3c32c12ac
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_amd64.deb
      Size/MD5:   171200 56ee87d117327fbb902291405e674350
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_amd64.deb
      Size/MD5:   114486 b6a59775958df6ac10d354e6ce7575b8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_i386.deb
      Size/MD5:    73552 cbb43b547a0886ec4f20ab21c9338b7d
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_i386.deb
      Size/MD5:   307566 361a58936b65d3519b6acf39a9177deb
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_i386.deb
      Size/MD5:   169118 f6f289d28cfaaccb5aceea1ac5f22ecd
    http://security.ubuntu.com/ubuntu/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_i386.deb
      Size/MD5:   111680 e2b4440a2f798d37c487634a12d0df7e

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_lpia.deb
      Size/MD5:    73474 18c142eaf4a374233d8e72fd28d17966
    http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_lpia.deb
      Size/MD5:   303786 65710e21f376738f71985c3d18c6f030
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_lpia.deb
      Size/MD5:   167568 9dda4d3f0d81aa5f198631b713018141
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_lpia.deb
      Size/MD5:   111010 8e401f2b53829b58b72c2a7571bee535

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_powerpc.deb
      Size/MD5:    73996 887c6fe91ae2b61e77cb50b0471e8a1a
    http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_powerpc.deb
      Size/MD5:   337472 76b8f2ddbc5453ff94534c6a296878e7
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_powerpc.deb
      Size/MD5:   169496 595a4bee24df62351470ad78c05f7e1c
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_powerpc.deb
      Size/MD5:   115212 1d1fe4a8ac390715a77f01bd848ac675

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/pam/libpam-cracklib_1.0.1-9ubuntu1.1_sparc.deb
      Size/MD5:    73822 d2ed085a627031b586e766d0f296d88a
    http://ports.ubuntu.com/pool/main/p/pam/libpam-modules_1.0.1-9ubuntu1.1_sparc.deb
      Size/MD5:   315450 67ca1f028084a8c7ab2ba53c6d3a0bdd
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g-dev_1.0.1-9ubuntu1.1_sparc.deb
      Size/MD5:   167712 41e1424818de65bf70198dac7509fc99
    http://ports.ubuntu.com/pool/main/p/pam/libpam0g_1.0.1-9ubuntu1.1_sparc.deb
      Size/MD5:   110544 d1588a9af160a56abc0a8d4f3320c97b


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ