Debian Bug report logs - #481970
libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.

version graph

Package: libpam-pgsql; Maintainer for libpam-pgsql is Jan Dittberner <jandd@debian.org>; Source for libpam-pgsql is src:pam-pgsql.

Reported by: Julian Mehnle <julian@mehnle.net>

Date: Mon, 19 May 2008 20:06:05 UTC

Severity: critical

Tags: security

Found in version pam-pgsql/0.6.3-1

Fixed in version pam-pgsql/0.6.3-2

Done: Michael Schutte <m.schutte.jr@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian QA Group <packages@qa.debian.org>:
Bug#481970; Package libpam-pgsql. Full text and rfc822 format available.

Acknowledgement sent to Julian Mehnle <julian@mehnle.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian QA Group <packages@qa.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Julian Mehnle <julian@mehnle.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpam-pgsql: <Ctrl+C> while in authentication phase induces success, may circumvent sudo et al.
Date: Mon, 19 May 2008 20:04:29 +0000
[Message part 1 (text/plain, inline)]
Package: libpam-pgsql
Version: 0.6.3-1
Severity: critical
Tags: security
Justification: root security hole

I recently upgraded libpam-pgsql to 0.6.3-1.  I now noticed that
pressing <Ctrl+C> during libpam-pgsql's authentication phase, e.g., when
sudo is asking for the user's password, erroneously causes sudo to
succeed as if the user had entered the correct password, IF pam_pgsql.so
has been configured as a "sufficient" authentication module in the
system's PAM setup.

I am attaching my /etc/pam.d/common-auth and /etc/pam.d/sudo files for
illustration.  Only the former has been changed from the PAM defaults.

Here's a transcript demonstrating the effect:

| io:~> id
| uid=1004(julian) gid=100(users) groups=0(root),4(adm),8(mail),32(postgres),40(src),50(staff),100(users),[...]
| io:~> sudo -k
| io:~> sudo id
| [sudo] password for julian: ^C
| uid=0(root) gid=0(root) groups=0(root),4(adm)

Even though pam_pgsql.so is not configured as a "sufficient" auth module
by default, I consider this a critical security issue in the libpam-
pgsql package.  Feel free to downgrade the severity if you think
otherwise.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (600, 'testing'), (90, 'unstable')
Architecture: i386 (i586)

Kernel: Linux 2.6.24-1-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-pgsql depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libmhash2                     0.9.9-1    Library for cryptographic hashing 
ii  libpam0g                      0.99.7.1-6 Pluggable Authentication Modules l
ii  libpq5                        8.3.1-1    PostgreSQL C client library

libpam-pgsql recommends no packages.

-- no debconf information
[common-auth (text/plain, attachment)]
[sudo (text/plain, attachment)]

Reply sent to Michael Schutte <m.schutte.jr@gmail.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Julian Mehnle <julian@mehnle.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 481970-close@bugs.debian.org (full text, mbox):

From: Michael Schutte <m.schutte.jr@gmail.com>
To: 481970-close@bugs.debian.org
Subject: Bug#481970: fixed in pam-pgsql 0.6.3-2
Date: Sat, 24 May 2008 20:47:15 +0000
Source: pam-pgsql
Source-Version: 0.6.3-2

We believe that the bug you reported is fixed in the latest version of
pam-pgsql, which is due to be installed in the Debian FTP archive:

libpam-pgsql_0.6.3-2_amd64.deb
  to pool/main/p/pam-pgsql/libpam-pgsql_0.6.3-2_amd64.deb
pam-pgsql_0.6.3-2.diff.gz
  to pool/main/p/pam-pgsql/pam-pgsql_0.6.3-2.diff.gz
pam-pgsql_0.6.3-2.dsc
  to pool/main/p/pam-pgsql/pam-pgsql_0.6.3-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 481970@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Schutte <m.schutte.jr@gmail.com> (supplier of updated pam-pgsql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 24 May 2008 22:30:02 +0200
Source: pam-pgsql
Binary: libpam-pgsql
Architecture: source amd64
Version: 0.6.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Michael Schutte <m.schutte.jr@gmail.com>
Description: 
 libpam-pgsql - PAM module to authenticate using a PostgreSQL database
Closes: 481970
Changes: 
 pam-pgsql (0.6.3-2) unstable; urgency=high
 .
   * High-urgency QA upload to get security fix into testing.
   * Fix upstream security issue that granted root access when pressing Ctrl-C
     in sudo’s authentication conversation, closes: #481970.  The problem was
     caused by a mistake in operator precedence leading to a pam_get_pass call
     always being considered successful; it is fixed by adding a level of
     parentheses.
Checksums-Sha1: 
 78c783543a76baa7b28f285346215b9c976659a8 1082 pam-pgsql_0.6.3-2.dsc
 12d86f585362f87e803668544413ca3c22b69072 5106 pam-pgsql_0.6.3-2.diff.gz
 b867a431f7229ad005de8453af03b17ce4f9b8f0 17178 libpam-pgsql_0.6.3-2_amd64.deb
Checksums-Sha256: 
 95acadfe56318b7fed4a24edc02bdbb3c1a2cec3b90f1a08a1a113fbc7a3e454 1082 pam-pgsql_0.6.3-2.dsc
 9e9195eb9f94ba66d3463e69e18c44c5b0a37ef393da4025c2e9aa3eaa8e1ecd 5106 pam-pgsql_0.6.3-2.diff.gz
 6e262c9d4f232f6ef48f9c9e86617b8b94fe8d6657f3365a0da1af47e6f8aff3 17178 libpam-pgsql_0.6.3-2_amd64.deb
Files: 
 739450cdd245fd211f671c11ef2fcdd0 1082 admin extra pam-pgsql_0.6.3-2.dsc
 b5723e7ce8cfea41f4234185195d28b2 5106 admin extra pam-pgsql_0.6.3-2.diff.gz
 4c035ce8229e7c5714d22a3901f41cf0 17178 admin extra libpam-pgsql_0.6.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIOH0JHYflSXNkfP8RAvu0AJ0YGpwf0ob+Lz9GnwgXDDRUEod4TACgjfMd
GxXJdOex/AUrm9/9FMhL95g=
=FoT5
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Jun 2008 07:35:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 15:45:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.