The operator precedence you quote from line 696 looks like the fixed
one, not the buggy one ?
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
Naive question about a bug that was closed a year ago...
Can a user do a similar thing with pam_pgsql when changing her password?
For example the operator precedence in pam_sm_chauthtok() line 696 is:
if ((rc = pam_get_pass(pamh, PAM_OLDAUTHTOK, pass, PASSWORD_PROMPT,
options-std_flags)) ==
** Changed in: pam-pgsql (Ubuntu Intrepid)
Status: Fix Committed = Fix Released
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs
Subscribing ubuntu-universe-sponsors to help getting the fake-sync in
comment 2 into Intrepid first.
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: pam-pgsql (Ubuntu Gutsy)
Status: Triaged = Fix Committed
** Changed in: pam-pgsql (Ubuntu Hardy)
Status: Triaged = Fix Committed
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are
** Changed in: pam-pgsql (Ubuntu Intrepid)
Status: Triaged = Fix Committed
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs
This bug was fixed in the package pam-pgsql - 0.6.3-0ubuntu1.8.04.1
---
pam-pgsql (0.6.3-0ubuntu1.8.04.1) hardy-security; urgency=low
* SECURITY UPDATE: local users may bypass authentication and gain
privileges by sending CTRL-C at the password prompt.
* pam_pgsql.c: applied
This bug was fixed in the package pam-pgsql - 0.6.3-0ubuntu1.7.10.1
---
pam-pgsql (0.6.3-0ubuntu1.7.10.1) gutsy-security; urgency=low
* SECURITY UPDATE: local users may bypass authentication and gain
privileges by sending CTRL-C at the password prompt.
* pam_pgsql.c: applied
Here is the debdiff for hardy.
I had to apply an extra patch because the current version in hardy FTBFS.
I have tested that it closes the hole, but I've not tested that there are no
regressions in usual features.
** Attachment added: pam-pgsql_0.6.3-0ubuntu1.1.debdiff
New debdiff for hardy, with proper version number.
Furthermore I've tested on a basic setup that there was no obvious regression.
I'm working on the gutsy one.
** Attachment added: pam-pgsql_0.6.3-0ubuntu1.8.04.1.debdiff
Debdiff for gutsy.
The package also FTBFS in pbuilder so I applied the same patch.
** Attachment added: pam-pgsql_0.6.3-0ubuntu1.7.10.1.debdiff
http://launchpadlibrarian.net/15607234/pam-pgsql_0.6.3-0ubuntu1.7.10.1.debdiff
--
Ctrl+C might allow to bypass authentication
Are you able to prepare and test fixes for Gutsy and Hardy as well?
Simply applying that parentheses-addition patch should do, but I've
nowhere to test this.
** Changed in: pam-pgsql (Ubuntu Gutsy)
Importance: Undecided = High
Status: New = Triaged
** Changed in: pam-pgsql (Ubuntu
The minimal fix, for the record (and learning).
** Attachment added: CVE-2008-2516.patch
http://launchpadlibrarian.net/15562272/security_481970.patch
** Visibility changed to: Public
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug
Debdiff for the fake sync to 0.6.3-2 to intrepid
** Attachment added:
pam-pgsql_0.6.3-0ubuntu1_to_pam-pgsql_0.6.3-2build1.debdiff
http://launchpadlibrarian.net/15563014/fakesync2.debdiff
** Bug watch added: Debian Bug tracker #481970
** Changed in: pam-pgsql (Debian)
Status: Unknown = Fix Released
--
Ctrl+C might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
15 matches
Mail list logo
