Ubuntu Security Notice 1140-1 - Marcus Granado discovered that PAM incorrectly handled configuration files with non-ASCII usernames. A remote attacker could use this flaw to cause a denial of service, or possibly obtain login access with a different users username. This issue only affected Ubuntu 8.04 LTS. It was discovered that the PAM pam_xauth, pam_env and pam_mail modules incorrectly handled dropping privileges when performing operations. A local attacker could use this flaw to read certain arbitrary files, and access other sensitive information. It was discovered that the PAM pam_namespace module incorrectly cleaned the environment during execution of the namespace.init script. A local attacker could use this flaw to possibly gain privileges. It was discovered that the PAM pam_xauth module incorrectly handled certain failures. A local attacker could use this flaw to delete certain unintended files. It was discovered that the PAM pam_xauth module incorrectly verified certain file properties. A local attacker could use this flaw to cause a denial of service.
1475b1ea584745e75607c08eb5e889073214913e719c51acce41d09dc235d52b
Gentoo Linux Security Advisory GLSA 200909-01 - An error in the handling of user names of Linux-PAM might allow remote attackers to cause a Denial of Service or escalate privileges. Marcus Granado reported that Linux-PAM does not properly handle user names that contain Unicode characters. This is related to integer signedness errors in the pam_StrTok() function in libpam/pam_misc.c. Versions less than 1.0.4 are affected.
f689910344730f64cedc83a43ba7c375638246dfee7417bdcbf897b81cd39b26
Mandriva Linux Security Advisory 2009-077 - Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt. The updated packages have been patched to prevent this. Additionally some development packages were missing that are required to build pam for CS4, these are also provided with this update.
aa3350e5851ab68970d09408a94524afe71d9de8136f92bf3f4506c2cc273527