Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
-----Forwarded Message-----
- --------------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE :shadow
SUMMARY :Bug in /bin/login
DATE :8 Apr 2002 19:30:00 UTC
- --------------------------------------------------------------------------
OVERVIEW
The /bin/login program contained in the shadow ebuild contains a PAM-related
bug that, in some instances, can allow anyone who has a valid user account
and password to log in as root either from the console or via telnet.
It should be known that Gentoo does not default to allowing telnet access
and ssh is unaffected by this bug. Nevertheless, this is an important
security flaw that should be corrected immediately on all affected systems.
DETAIL
The shadow package's /bin/login code gets the login username from PAM, but
it uses a pointer to a string that can and will get overwritten if
pam_limits.so is active.
Because shadow's login.c doesn't compensate or protect against this, a
disasterous chain of events takes place: the login name is overwritten
with a random string, login.c passes this to getpwnam() which returns NULL,
login.c mis-handles the NULL return value (another bug) and creates a small
pwent structure without a home directory but with other default values in
place that allow you to log in -- and these default values specify a *root*
login, of all things. This bug is triggerable because shadow's login.c
doesn't respect PAM's "too many logins" return value but uses its own value
from /etc/login.defs instead.
It was previously thought that swapping pam_pwdb for pam_unix in
/etc/pam.d/system-auth corrected the above problem. In general, this fixed
the symptoms on nearly all systems, but did not address the root cause of
the security problem. Further examination of the problem revealed that the
real issue was with shadow's /bin/login program.
The implemented solution was to switch over to using util-linux's /bin/login
program, which does not rely on PAM for the username after PAM has
authenticated the user. The new util-linux /bin/login does not have this
bug, which appears to be similar if not identical to the one experienced
with older versions of util-linux. Refer to bugtraq id 3415 concerning that
vulnerbility.
SOLUTION
It is recommended that all Gentoo Linux users update their systems as follows.
Please note that these fixes are included in Gentoo Linux 1.1a and above. All
other Gentoo Linux users should upgrade their systems as follows:
To upgrade affected Gentoo Linux 1.0+ systems automatically (This will also
upgrade other packages unrelated to this security announcement):
emerge rsync
emerge --update world
Upgrade affected Gentoo Linux 1.0+ systems (just affected packages):
emerge rsync
emerge sys-apps/shadow
emerge sys-apps/util-linux
- --------------------------------------------------------------------------
jhhudso@g.o
drobbins@g.o
- --------------------------------------------------------------------------
--
Daniel Robbins <drobbins@g.o>
Chief Architect/President http://www.gentoo.org
Gentoo Technologies, Inc.
|
|
