Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-announce
Navigation:
Lists: gentoo-announce: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-announce@g.o, gentoo-security@g.o
From: Daniel Robbins <drobbins@g.o>
Subject: Security Announcement - Bug in /bin/login
Date: 08 Apr 2002 14:48:37 -0600
-----Forwarded Message-----

- --------------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE        :shadow
SUMMARY        :Bug in /bin/login
DATE           :8 Apr 2002 19:30:00 UTC

- --------------------------------------------------------------------------

OVERVIEW

 The /bin/login program contained in the shadow ebuild contains a PAM-related
 bug that, in some instances, can allow anyone who has a valid user account 
 and password to log in as root either from the console or via telnet. 

 It should be known that Gentoo does not default to allowing telnet access 
 and ssh is unaffected by this bug.  Nevertheless, this is an important
 security flaw that should be corrected immediately on all affected systems.

DETAIL

 The shadow package's /bin/login code gets the login username from PAM, but
 it uses a pointer to a string that can and will get overwritten if 
 pam_limits.so is active.  

 Because shadow's login.c doesn't compensate or protect against this, a 
 disasterous chain of events takes place: the login name is overwritten
 with a random string, login.c passes this to getpwnam() which returns NULL,
 login.c mis-handles the NULL return value (another bug) and creates a small
 pwent structure without a home directory but with other default values in
 place that allow you to log in -- and these default values specify a *root*
 login, of all things.  This bug is triggerable because shadow's login.c
 doesn't respect PAM's "too many logins" return value but uses its own value
 from /etc/login.defs instead.

 It was previously thought that swapping pam_pwdb for pam_unix in 
 /etc/pam.d/system-auth corrected the above problem. In general, this fixed
 the symptoms on nearly all systems, but did not address the root cause of
 the security problem. Further examination of the problem revealed that the 
 real issue was with shadow's /bin/login program.

 The implemented solution was to switch over to using util-linux's /bin/login
 program, which does not rely on PAM for the username after PAM has 
 authenticated the user.  The new util-linux /bin/login does not have this
 bug, which appears to be similar if not identical to the one experienced 
 with older versions of util-linux. Refer to  bugtraq id 3415 concerning that 
 vulnerbility.

SOLUTION
 
 It is recommended that all Gentoo Linux users update their systems as follows.
 Please note that these fixes are included in Gentoo Linux 1.1a and above. All
 other Gentoo Linux users should upgrade their systems as follows:

 To upgrade affected Gentoo Linux 1.0+ systems automatically (This will also 
 upgrade other packages unrelated to this security announcement):

 emerge rsync
 emerge --update world

 Upgrade affected Gentoo Linux 1.0+ systems (just affected packages):

 emerge rsync
 emerge sys-apps/shadow
 emerge sys-apps/util-linux

- --------------------------------------------------------------------------
jhhudso@g.o
drobbins@g.o
- --------------------------------------------------------------------------

-- 
Daniel Robbins                                  <drobbins@g.o>
Chief Architect/President                       http://www.gentoo.org 
Gentoo Technologies, Inc.


Navigation:
Lists: gentoo-announce: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
New XFree86 and NVidia drivers.
Next by thread:
Gentoo Linux 1.1a released!
Previous by date:
Re: [gentoo-user] New XFree86 and NVidia drivers. (IMPORTANT!!!)
Next by date:
Gentoo Linux 1.1a released!


Updated Jun 17, 2009

Summary: Archive of the gentoo-announce mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.