ID CVE-2009-0887
Summary Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt.
References
Vulnerable Configurations
  • cpe:2.3:a:linux-pam:linux-pam:0.99.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:0.99.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:0.99.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:linux-pam:linux-pam:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:linux-pam:linux-pam:1.0.3:*:*:*:*:*:*:*
CVSS
Base: 6.6 (as of 03-01-2019 - 15:01)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
LOCAL MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:L/AC:M/Au:S/C:C/I:C/A:C
refmap via4
bid 34010
confirm
fedora
  • FEDORA-2009-3204
  • FEDORA-2009-3231
mandriva MDVSA-2009:077
mlist [oss-security] 20090305 CVE Request -- pam
secunia 34733
xf linuxpam-pamstrtok-priv-escalation(49110)
statements via4
contributor Tomas Hoger
lastmodified 2009-03-13
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-0887 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 03-01-2019 - 15:01
Published 12-03-2009 - 15:20
Back to Top