Debian Security Advisory
DSA-469-1 pam-pgsql -- missing input sanitising
- Date Reported:
- 29 Mar 2004
- Affected Packages:
- pam-pgsql
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 230875.
In Mitre's CVE dictionary: CVE-2004-0366. - More information:
-
Primoz Bratanic discovered a bug in libpam-pgsql, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements.
For the stable distribution (woody) this problem has been fixed in version 0.5.2-3woody2.
For the unstable distribution (sid) this problem has been fixed in version 0.5.2-7.1.
We recommend that you upgrade your libpam-pgsql package.
- Fixed in:
-
Debian GNU/Linux 3.0 (woody)
- Source:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/pam-pgsql_0.5.2-3woody2.dsc
- http://security.debian.org/pool/updates/main/p/pam-pgsql/pam-pgsql_0.5.2-3woody2.diff.gz
- http://security.debian.org/pool/updates/main/p/pam-pgsql/pam-pgsql_0.5.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/pam-pgsql/pam-pgsql_0.5.2-3woody2.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/p/pam-pgsql/libpam-pgsql_0.5.2-3woody2_sparc.deb
MD5 checksums of the listed files are available in the original advisory.