Debian Security Advisory

DSA-177-1 pam -- serious security violation

Date Reported:

17 Oct 2002

Affected Packages:

pam

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2002-1227.

More information:

A serious security violation in PAM was discovered. Disabled passwords (i.e. those with '*' in the password file) were classified as empty password and access to such accounts is granted through the regular login procedure (getty, telnet, ssh). This works for all such accounts whose shell field in the password file does not refer to /bin/false. Only version 0.76 of PAM seems to be affected by this problem.

This problem has been fixed in version 0.76-6 for the current unstable distribution (sid). The stable distribution (woody), the old stable distribution (potato) and the testing distribution (sarge) are not affected by this problem.

As stated in the Debian security team FAQ, testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. This security advisory is an exception to that rule, due to the seriousness of the problem.

We recommend that you upgrade your PAM packages immediately if you are running Debian/unstable.

Fixed in:

Debian GNU/Linux unstable (sid)

Source:: http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz; http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
Architecture-independent component:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
Alpha:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
ARM:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
Intel IA-32:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
Intel IA-64:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
HP Precision:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
Motorola 680x0:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
Big endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
Little endian MIPS:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
PowerPC:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
IBM S/390:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
Sun Sparc:: http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb; http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb

MD5 checksums of the listed files are available in the original advisory.