Debian Security Advisory

DSA-177-1 pam -- serious security violation

Date Reported:
17 Oct 2002
Affected Packages:
pam
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2002-1227.
More information:

A serious security violation in PAM was discovered. Disabled passwords (i.e. those with '*' in the password file) were classified as empty password and access to such accounts is granted through the regular login procedure (getty, telnet, ssh). This works for all such accounts whose shell field in the password file does not refer to /bin/false. Only version 0.76 of PAM seems to be affected by this problem.

This problem has been fixed in version 0.76-6 for the current unstable distribution (sid). The stable distribution (woody), the old stable distribution (potato) and the testing distribution (sarge) are not affected by this problem.

As stated in the Debian security team FAQ, testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. This security advisory is an exception to that rule, due to the seriousness of the problem.

We recommend that you upgrade your PAM packages immediately if you are running Debian/unstable.

Fixed in:

Debian GNU/Linux unstable (sid)

Source:
http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc
http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
Architecture-independent component:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
Alpha:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
ARM:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
Intel IA-32:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
Intel IA-64:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
HP Precision:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
Motorola 680x0:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
Big endian MIPS:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
Little endian MIPS:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
PowerPC:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
IBM S/390:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
Sun Sparc:
http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb
http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb

MD5 checksums of the listed files are available in the original advisory.