Operating System:

[Debian]

Published:

17 October 2002

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2002.584 -- Debian Security Advisory DSA 177-1
    New PAM packages fix serious security violation in Debian/unstable
                              18 October 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                pam
Vendor:                 Debian
Operating System:       Debian GNU/Linux unstable alias sid
Impact:                 Increased Privileges
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 177-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 17th, 2002                      http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : pam
Vulnerability  : serious security violation
Problem-Type   : remote 
Debian-specific: no
Distributions  : unstable only

Paul Aurich and Samuele Giovanni Tonon discovered a serious security
violation in PAM.  Disabled passwords (i.e. those with '*' in the
password file) were classified as empty password and access to such
accounts is granted through the regular login procedure (getty,
telnet, ssh).  This works for all such accounts whose shell field in
the password file does not refer to /bin/false.  Only version 0.76 of
PAM seems to be affected by this problem.

This problem has been fixed in version 0.76-6 for the current unstable
distribution (sid).  The stable distribution (woody), the old stable
distribution (potato) and the testing distribution (sarge) are not
affected by this problem.

As stated in the Debian security team FAQ (see URL in header), testing
and unstable are rapidly moving targets and the security team does not
have the resources needed to properly support those.  This security
advisory is an exception to that rule, due to the seriousness of the
problem.

We recommend that you upgrade your PAM packages immediately if you are
running Debian/unstable.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages


Debian GNU/Linux unstable alias sid
- - -----------------------------------

  Source archives:

    http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.dsc
      Size/MD5 checksum:      732 c7661ad0dcbc7df4ca967e58e93edd2e
    http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76-6.diff.gz
      Size/MD5 checksum:    87185 39d8f45620b6750b34ad9128814328e7
    http://ftp.debian.org/debian/pool/main/p/pam/pam_0.76.orig.tar.gz
      Size/MD5 checksum:   424671 22dd4019934cbd71bc67f13a5c2e10ec

  Architecture independent components:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-doc_0.76-6_all.deb
      Size/MD5 checksum:   651724 b3fc72ee81ac4e4413c696ec42fa4ef3
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-runtime_0.76-6_all.deb
      Size/MD5 checksum:    51922 28398b55b183e122984c4bf1a64183a9

  Alpha architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_alpha.deb
      Size/MD5 checksum:    53808 462dcd1a02dd799b761a05687cf08699
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_alpha.deb
      Size/MD5 checksum:   179588 e2719b40c82af6891471c7182d8008f7
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_alpha.deb
      Size/MD5 checksum:    74146 727185b2d9c55a084105e2e4c43afcd0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_alpha.deb
      Size/MD5 checksum:   116148 970c63cf78a3b7311e122069225caa06

  ARM architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_arm.deb
      Size/MD5 checksum:    52268 c8f6709b9b92cac992168bfa957762cd
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_arm.deb
      Size/MD5 checksum:   153494 12a21eb18e0cb8fb3043c23a78b410a8
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_arm.deb
      Size/MD5 checksum:    67952 bf8953d4d7227a5f8c837921da2745c4
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_arm.deb
      Size/MD5 checksum:   110738 10ecfcb5e44bb5af98deb4f5b27c16cb

  Intel IA-32 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_i386.deb
      Size/MD5 checksum:    52116 f91a3a10c47a08aae349bd16d161a644
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_i386.deb
      Size/MD5 checksum:   146290 88216fe253c9e5042e8a6902bc807153
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_i386.deb
      Size/MD5 checksum:    67504 a02c56dfa8949cf9abc071fc3b75ade1
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_i386.deb
      Size/MD5 checksum:   107490 366d7a40aecdc674920c76f8c71684b3

  Intel IA-64 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_ia64.deb
      Size/MD5 checksum:    56320 a52fc9867c6af83788e5d999fb3c5289
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_ia64.deb
      Size/MD5 checksum:   204086 1b85b7156e03bef224c783e45c4f8f36
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_ia64.deb
      Size/MD5 checksum:    81374 76d3f1c7665854f137457f7d0e75d995
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_ia64.deb
      Size/MD5 checksum:   118930 31ff873794cfaf4da938340fbf87c275

  HP Precision architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_hppa.deb
      Size/MD5 checksum:    53646 10dce03fd0f16e7bb25cc7263b679cd2
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_hppa.deb
      Size/MD5 checksum:   171266 23439afca3810b039e65e3ff5a626336
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_hppa.deb
      Size/MD5 checksum:    72066 166e7a5b1f72b0585b1d1fa06d5ac4f0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_hppa.deb
      Size/MD5 checksum:   113166 bb97068c08d1e98c37a439ff044dfe0c

  Motorola 680x0 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_m68k.deb
      Size/MD5 checksum:    51886 aa1a506bbabef00284d5761e891edd3d
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_m68k.deb
      Size/MD5 checksum:   151202 6064da7ddbc9ecf958e52e586b4d5fe0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_m68k.deb
      Size/MD5 checksum:    67578 3586a306ffe39e0b57b6ebd37196fbc7
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_m68k.deb
      Size/MD5 checksum:   106684 db2c282058e7b2d78cb41bd7ab1bc082

  Big endian MIPS architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mips.deb
      Size/MD5 checksum:    52336 5f20d3e21ab9d2948fc74598f70a77b8
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mips.deb
      Size/MD5 checksum:   149874 4ab69f9fdb67245b2c90a192f94c4f09
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mips.deb
      Size/MD5 checksum:    68280 487a9bd02b5ba9c8b3342bcebba95658
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mips.deb
      Size/MD5 checksum:   111840 3bd2014016f6325e7853566d91ec91e4

  Little endian MIPS architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_mipsel.deb
      Size/MD5 checksum:    52318 2ebabb4258a9901b601829594fae3e86
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_mipsel.deb
      Size/MD5 checksum:   149786 a8fa2ea4ba3a4ebd00ff3ea83048972f
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_mipsel.deb
      Size/MD5 checksum:    68284 0afe5c5e849c06a4802b05c7e9fd75a0
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_mipsel.deb
      Size/MD5 checksum:   111834 b7d8dab220f32c55406d7fd0175875f8

  PowerPC architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_powerpc.deb
      Size/MD5 checksum:    52722 9122f2b7af39021cedaabcf8899b7c43
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_powerpc.deb
      Size/MD5 checksum:   157134 350a445962f3835ee8eee72aaaa7aa1c
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_powerpc.deb
      Size/MD5 checksum:    69758 08a704d5ccd0c04505e4570d9ca8f6db
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_powerpc.deb
      Size/MD5 checksum:   109960 0a20b7da4c63d9bb40399fcc44259443

  IBM S/390 architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_s390.deb
      Size/MD5 checksum:    52750 4b4431e696cf93b3a31dccda1fad4244
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_s390.deb
      Size/MD5 checksum:   153186 c42535c78b2413ad0cd81ea4bbb3c727
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_s390.deb
      Size/MD5 checksum:    68050 99382780227c0e7b109f2a11292777ba
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_s390.deb
      Size/MD5 checksum:   108796 32ba2eb69e35e8c9b59ef673a588307c

  Sun Sparc architecture:

    http://ftp.debian.org/debian/pool/main/p/pam/libpam-cracklib_0.76-6_sparc.deb
      Size/MD5 checksum:    53024 ea53bf69a07f62eea1df690fb650529f
    http://ftp.debian.org/debian/pool/main/p/pam/libpam-modules_0.76-6_sparc.deb
      Size/MD5 checksum:   164550 2577423bb422423f6d7fd37547303bae
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g_0.76-6_sparc.deb
      Size/MD5 checksum:    68536 a66479182486669059de5e3c36145162
    http://ftp.debian.org/debian/pool/main/p/pam/libpam0g-dev_0.76-6_sparc.deb
      Size/MD5 checksum:   110406 28d8bf606249b607d6b604a32698c821

- - ---------------------------------------------------------------------------------
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9rvb8W5ql+IAeqTIRAmqeAKCuDnV6sIfRh8A3W/5zPHJE0vNMOwCeJoIy
ci3Yzn5cFkot/xASk8XJ+DU=
=oBCd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPa/r+Sh9+71yA2DNAQGhGwP/Yls84ws5C5ul7ELa7V2PPqkzkOkc4c+v
0HrFNmw/ZwcB5UZoAp050V7I2h16jrI1uw67Lov8PdisBBcWX0A9dkW4l9zrNSAj
9M3lawVmlK1P823l3LI4cCXILqacoNrE0o5LQthe4dKduPdC2j8b5SsHmabf+JEp
ZDF/lqtNivk=
=I1Dv
-----END PGP SIGNATURE-----