CVE-2009-0887

Related Files

Ubuntu Security Notice USN-1140-1

Posted May 30, 2011

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1140-1 - Marcus Granado discovered that PAM incorrectly handled configuration files with non-ASCII usernames. A remote attacker could use this flaw to cause a denial of service, or possibly obtain login access with a different users username. This issue only affected Ubuntu 8.04 LTS. It was discovered that the PAM pam_xauth, pam_env and pam_mail modules incorrectly handled dropping privileges when performing operations. A local attacker could use this flaw to read certain arbitrary files, and access other sensitive information. It was discovered that the PAM pam_namespace module incorrectly cleaned the environment during execution of the namespace.init script. A local attacker could use this flaw to possibly gain privileges. It was discovered that the PAM pam_xauth module incorrectly handled certain failures. A local attacker could use this flaw to delete certain unintended files. It was discovered that the PAM pam_xauth module incorrectly verified certain file properties. A local attacker could use this flaw to cause a denial of service.

tags | advisory, remote, denial of service, arbitrary, local

systems | linux, ubuntu

advisories | CVE-2010-3435, CVE-2009-0887, CVE-2010-3316, CVE-2010-3430, CVE-2010-3431, CVE-2010-3435, CVE-2010-3853, CVE-2010-4706, CVE-2010-4707

SHA-256 | 1475b1ea584745e75607c08eb5e889073214913e719c51acce41d09dc235d52b

Download | Favorite | View

Gentoo Linux Security Advisory 200909-1

Posted Sep 7, 2009

Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory GLSA 200909-01 - An error in the handling of user names of Linux-PAM might allow remote attackers to cause a Denial of Service or escalate privileges. Marcus Granado reported that Linux-PAM does not properly handle user names that contain Unicode characters. This is related to integer signedness errors in the pam_StrTok() function in libpam/pam_misc.c. Versions less than 1.0.4 are affected.

tags | advisory, remote, denial of service

systems | linux, gentoo

advisories | CVE-2009-0887

SHA-256 | f689910344730f64cedc83a43ba7c375638246dfee7417bdcbf897b81cd39b26

Download | Favorite | View

Mandriva Linux Security Advisory 2009-077

Posted Mar 24, 2009

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-077 - Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt. The updated packages have been patched to prevent this. Additionally some development packages were missing that are required to build pam for CS4, these are also provided with this update.

tags | advisory, remote, denial of service

systems | linux, mandriva

advisories | CVE-2009-0887

SHA-256 | aa3350e5851ab68970d09408a94524afe71d9de8136f92bf3f4506c2cc273527

Download | Favorite | View