Your message dated Mon, 23 Oct 2006 06:17:44 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#388431: fixed in pam 0.79-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libpam-modules
Version: 0.79-3.2
Severity: critical
Module pam_limits.so blindly sets almost all available limits to
the unlimited value, including RLIMIT_NICE and RLIMIT_RTPRIO that should
be set to zero instead (this is also kernel's default). This gives all
users unlimited access to the real-time scheduling which can be used to
completely lock up the entire system. I discovered it accidentally when my
laptop locked up when I was experimenting with ecasound and alsa plugins.
This problem appeared right after upgrading from 0.79-3.1 to 0.79-3.2 but
source change is not to blame --- building with newer libc6-dev package
is likely the direct cause of this problem (because RLIMIT_NICE and
RLIMIT_RTPRIO were probably not available when previous version of
the libpam-modules were built). With libpam-modules_0.79-3.1 I have
(/etc/security/limits.conf is not modified):
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
max nice (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) unlimited
max rt priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
But after upgrading to libpam_modules-0.79-3.2 and logging out and in I
get:
$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
max nice (-e) unlimited
file size (blocks, -f) unlimited
pending signals (-i) unlimited
max locked memory (kbytes, -l) unlimited
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) unlimited
max rt priority (-r) unlimited
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
--
Ville Hallik
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 0.79-4
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_0.79-4_i386.deb
to pool/main/p/pam/libpam-cracklib_0.79-4_i386.deb
libpam-doc_0.79-4_all.deb
to pool/main/p/pam/libpam-doc_0.79-4_all.deb
libpam-modules_0.79-4_i386.deb
to pool/main/p/pam/libpam-modules_0.79-4_i386.deb
libpam-runtime_0.79-4_all.deb
to pool/main/p/pam/libpam-runtime_0.79-4_all.deb
libpam0g-dev_0.79-4_i386.deb
to pool/main/p/pam/libpam0g-dev_0.79-4_i386.deb
libpam0g_0.79-4_i386.deb
to pool/main/p/pam/libpam0g_0.79-4_i386.deb
pam_0.79-4.diff.gz
to pool/main/p/pam/pam_0.79-4.diff.gz
pam_0.79-4.dsc
to pool/main/p/pam/pam_0.79-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <[EMAIL PROTECTED]> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 23 Oct 2006 05:36:08 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime
libpam-cracklib
Architecture: source i386 all
Version: 0.79-4
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Steve Langasek <[EMAIL PROTECTED]>
Description:
libpam-cracklib - PAM module to enable cracklib support
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 122400 149027 149883 241663 313542 313588 318452 327272 335273 344447
352329 360657 388431
Changes:
pam (0.79-4) unstable; urgency=medium
.
* Medium-urgency upload; at least one RC bugfix, but also a
significant number of changes, hence not urgency=high.
* Move libpam-modules and libpam0g to Section: libs and libpam-runtime
to section: admin, to match the overrides in the archive.
* Move old changelog entries (well, entry) that don't follow the current
format to debian/changelog.old, since there's no way to figure out a
timestamp for an 8-year-old upload, and this is the most effective
way to clear a glut of lintian warnings.
* Fix the formatting of the libpam-cracklib package description.
* Patch 010: remove parts of the patch that aren't necessary for C++
compatibility.
* Patch 060: fix a segfault in pam_tally caused by misuse of
pam_get_data(); already fixed upstream. Closes: #335273.
* Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)
of strdup (similar to patch 059). Already fixed upstream.
Closes: #327272.
* Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs.
Closes: #352329.
* Patch 005: sync pam_limits with upstream:
- support "-" (unlimited) for all limit types except process priority.
- support the additional aliases "-1", "unlimited", and "infinity" for
clearing the limits; closes: #122400, #149027.
- restrict the range of process priority, login count, and system login
count settings to (INT_MIN,INT_MAX) (heh).
- special-case RLIM_INFINITY when applying multipliers to values from
the config.
- document maxsyslogins in the default limits.conf; closes: #149883.
- use the current process priority as a default instead of resetting to
0; closes: #241663.
- add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO
settings in Linux 2.6.12 and above; closes: #313542, #313588.
- allow imposing limits on uid=0.
* Patch 027: only set RLIM_INFINITY as the default for the limits where
we know this is sensible, so that recompiling in an environment with new
limits doesn't create a security hole -- as happened with RLIMIT_NICE and
RLIMIT_RTPRIO! Thanks to Ville Hallik for the initial patch.
Closes: #388431.
* Patch 029, 047: Fix up the broken pam_limits capabilities patch so it
actually works -- which may well be a first... Closes: #318452.
.
pam (0.79-3.2) unstable; urgency=low
.
* Non-maintainer upload to fix important bug, that makes passwd segfault
when CTRL-D is pressed at the password prompt. Applied the patch
provided by Dann Frazier. (Closes: #360657)
.
pam (0.79-3.1) unstable; urgency=low
.
* Non-maintainer upload.
* Linux-PAM/libpamc/include/security/pam_client.h,
Linux-PAM/libpamc/pamc_converse.c: Apply patch from
latest upstream version to remove redefinition of internal
glibc/libstdc++ types. Closes: #344447.
Files:
bb83e935d98ee21122360cab326e204a 970 libs optional pam_0.79-4.dsc
f1401efc74c136fb07652643d1b1a1cf 136866 libs optional pam_0.79-4.diff.gz
0fb6ed72ff29cf455d62e8a8a8292338 64282 admin required
libpam-runtime_0.79-4_all.deb
004664714294d7a4a89954c5e9554d00 731984 doc optional libpam-doc_0.79-4_all.deb
1ced26f43273eb1055384bd711fb1651 79676 libs required libpam0g_0.79-4_i386.deb
f884fb9426c4f73c40c892ac343efc85 187500 libs required
libpam-modules_0.79-4_i386.deb
badc0696da385466937f22929a7a1bb1 117900 libdevel optional
libpam0g-dev_0.79-4_i386.deb
e28da4b5da863be36d965369e4828340 59530 libs optional
libpam-cracklib_0.79-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFPLzSKN6ufymYLloRAurrAJ9qK9+NWBnnhGZbRwBJQBTbyMGMVwCbBml2
UPu1tc4FiTiEnO3989I4kcc=
=pfjG
-----END PGP SIGNATURE-----
--- End Message ---
