Debian Bug report logs - #392984
CVE-2006-5170: pam_ldap authentication bypass

version graph

Package: libpam-ldap; Maintainer for libpam-ldap is Richard A Nelson (Rick) <cowboy@debian.org>; Source for libpam-ldap is src:libpam-ldap.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Sat, 14 Oct 2006 14:48:53 UTC

Severity: grave

Tags: patch, security

Fixed in version 180-1.2

Done: Stefan Fritsch <sf@sfritsch.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#392984; Package libpam_ldap. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-5170: pam_ldap authentication bypass
Date: Sat, 14 Oct 2006 16:31:05 +0200 (CEST)
[Message part 1 (text/plain, inline)]
Package: libpam_ldap
Severity: grave
Tags: security patch
Justification: user security hole

A vulnerability has been found in libpam_ldap:
pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and
earlier, and possibly other distributions does not return an error
condition when an LDAP directory server responds with a
PasswordPolicyResponse control response, which causes the
pam_authenticate function to return a success code even if
authentication has failed, as originally reported for xscreensaver.

See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207286 for
details.

From the patch given in the bugreport, libpam-ldap 180-1.1 in Debian
seems to be vulnerable, too. Please mention the CVE id in the changelog.

I have attached the patch as there is only a .srpm in the redhat bug 
report.
[pam_ldap-176-no_suppress.patch (text/plain, attachment)]

Bug reassigned from package `libpam_ldap' to `libpam-ldap'. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Stefan Fritsch <sf@sfritsch.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 392984-done@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 392984-done@bugs.debian.org
Subject: Fwd: Accepted libpam-ldap 180-1.2 (source i386)
Date: Tue, 24 Oct 2006 20:45:17 +0200
Version: 180-1.2

Fixed by NMU

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 22 Oct 2006 22:26:58 +0200
Source: libpam-ldap
Binary: libpam-ldap
Architecture: source i386
Version: 180-1.2
Distribution: unstable
Urgency: high
Maintainer: Stephen Frost <sfrost@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description: 
 libpam-ldap - Pluggable Authentication Module allowing LDAP 
interfaces
Changes: 
 libpam-ldap (180-1.2) unstable; urgency=high
 .
   * NMU for RC security bug.
   * Fix error passing for PasswordPolicyResponse control responses.
     (CVE-2006-5170)
Files: 
 fdcb676bce1ec85bd537f27be2e6014b 633 admin extra 
libpam-ldap_180-1.2.dsc
 2c1223188cc208dadd18a5c3517872eb 20800 admin extra 
libpam-ldap_180-1.2.diff.gz
 90c30affd16764f3874d7b2dd3273a6a 62634 admin extra 
libpam-ldap_180-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFO9UIXm3vHE4uyloRArRYAJ9bcQ7lJGJErJtfP1zpubt/v8VkIACgvmXO
nY+sYkjWx5NSdyPj/c3kXow=
=qvph
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 20:54:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:24:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.