1 |
- -------------------------------------------------------------------------- |
2 |
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT |
3 |
- -------------------------------------------------------------------------- |
4 |
|
5 |
PACKAGE :shadow |
6 |
SUMMARY :Bug in PAM config |
7 |
DATE :2002-04-04 02:33:00 |
8 |
|
9 |
- -------------------------------------------------------------------------- |
10 |
|
11 |
OVERVIEW |
12 |
|
13 |
The effect of this bug is that anyone who has a valid password for any user on |
14 |
the system can login as root either from the console or via telnet. To |
15 |
use this bug you had to login with a incorrect password 3 times |
16 |
(via console) or 4 times (via telnet) and on the 4th or 5th time you had |
17 |
to enter the correct password. Doing so would drop you to a root prompt |
18 |
with no home directory. It should be known that Gentoo does not default |
19 |
to allowing telnet access and ssh was unaffected by this bug. |
20 |
|
21 |
DETAIL |
22 |
|
23 |
Recently, Gentoo started using a PAM module called pam_stack along with |
24 |
pam_pwdb. pam_stack allows for better flexibility when configuring PAM |
25 |
security settings. The combination of pam_pwdb and pam_stack caused the |
26 |
bug described above to form. In the past pam_pwdb was used by itself |
27 |
and did not exhibit this bug. When we discovered this bug we replaced |
28 |
pam_pwdb with pam_unix. The combination of pam_unix and pam_stack does |
29 |
not have this bug. |
30 |
|
31 |
SOLUTION |
32 |
|
33 |
Install sys-apps/shadow-4.0.2-r2 or higher. |
34 |
|
35 |
It is recommended that all gentoo users apply the update |
36 |
|
37 |
Portage Auto: |
38 |
|
39 |
emerge rsync |
40 |
emerge --update world |
41 |
|
42 |
|
43 |
Portage by hand: |
44 |
|
45 |
emerge rsync |
46 |
emerge sys-libs/shadow |
47 |
|
48 |
- -------------------------------------------------------------------------- |
49 |
jhhudso@g.o |
50 |
- -------------------------------------------------------------------------- |
51 |
|
52 |
(forwarded by me) |
53 |
|
54 |
-- |
55 |
Daniel Robbins <drobbins@g.o> |
56 |
Chief Architect/President http://www.gentoo.org |
57 |
Gentoo Technologies, Inc. |