Debian Bug report logs -
#514437
chage -m / passwd -n (--mindays) have no effect (Lenny)
Reported by: Stefan Lienesch <lienesch.gag@ewetel.net>
Date: Sat, 7 Feb 2009 15:39:01 UTC
Severity: normal
Tags: fixed-upstream, security
Fixed in version pam/1.0.1-10
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#514437; Package passwd.
(Sat, 07 Feb 2009 15:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Lienesch <lienesch.gag@ewetel.net>:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>.
(Sat, 07 Feb 2009 15:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: passwd
Version: 1:4.1.1-6
Severity: normal
After typing e.g.
chage -m 10000 <user>
as root the user is still allowed to change his password.
The MINDAYS-Field in /etc/shadow shows the correct value after the command above
but it has no effect.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages passwd depends on:
ii debianutils 2.30 Miscellaneous utilities specific t
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libpam-modules 1.0.1-5 Pluggable Authentication Modules f
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
passwd recommends no packages.
passwd suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#514437; Package passwd.
(Sun, 08 Feb 2009 21:12:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>.
(Sun, 08 Feb 2009 21:12:22 GMT) (full text, mbox, link).
Message #10 received at 514437@bugs.debian.org (full text, mbox, reply):
reassign 514437 libpam-modules
tags 514437 security
thanks
Hello,
On Sat, Feb 07, 2009 at 04:37:10PM +0100, lienesch.gag@ewetel.net wrote:
>
> After typing e.g.
>
> chage -m 10000 <user>
>
> as root the user is still allowed to change his password.
>
> The MINDAYS-Field in /etc/shadow shows the correct value after the command above
> but it has no effect.
Thanks for reporting this.
Looking at the PAM sources (greping for sp_min), it seems that PAM does
not use this field anymore.
I had a look at PAM 0.79, and this was one check in _unix_verify_shadow,
called from pam_sm_chauthtok.
if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
&& (spwdent->sp_min != -1))
retval = PAM_AUTHTOK_ERR;
pam_sm_chauthtok still calls _unix_verify_shadow.
_unix_verify_shadow calls _unix_run_verify_binary and check_shadow_expiry
but those are used by pam_sm_acct_mgmt so the above check cannot be added
there.
I did not change the severity of the bug, but I wonder if it should not be
considered for Lenny.
sp_min is part of the security policy for passwords (it can be used to
forbid users changing their password immediately back to the previous
password).
Best Regards,
--
Nekral
Bug reassigned from package `passwd' to `libpam-modules'.
Request was from Nicolas François <nicolas.francois@centraliens.net>
to control@bugs.debian.org.
(Sun, 08 Feb 2009 21:12:45 GMT) (full text, mbox, link).
Tags added: security
Request was from Nicolas François <nicolas.francois@centraliens.net>
to control@bugs.debian.org.
(Sun, 08 Feb 2009 21:12:45 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#514437; Package libpam-modules.
(Tue, 17 Mar 2009 16:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Tue, 17 Mar 2009 16:21:05 GMT) (full text, mbox, link).
Message #19 received at 514437@bugs.debian.org (full text, mbox, reply):
tags 514437 fixed-upstream
thanks
Hello,
For tracking purpose, this is CVE-2009-0579.
I do not update the bug title because I cannot find this CVE in the
databases (Reserved / Under Review), but it really matches with the
description from upstream and RedHat Bugzilla:
https://www.redhat.com/archives/pam-list/2009-March/msg00006.html
https://bugzilla.redhat.com/show_bug.cgi?id=487216
Best Regards,
--
Nekral
Tags added: fixed-upstream
Request was from Nicolas François <nicolas.francois@centraliens.net>
to control@bugs.debian.org.
(Tue, 17 Mar 2009 16:21:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#514437; Package libpam-modules.
(Fri, 17 Apr 2009 18:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Kees Cook <kees@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Fri, 17 Apr 2009 18:12:07 GMT) (full text, mbox, link).
Message #26 received at 514437@bugs.debian.org (full text, mbox, reply):
Upstream patches appear to be:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_unix/passverify.c?r1=1.4&r2=1.4.2.1
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_unix/pam_unix_acct.c?r1=1.23&r2=1.23.2.1
--
Kees Cook @debian.org
Tags added: pending
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(Sat, 18 Apr 2009 21:27:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#514437; Package libpam-modules.
(Tue, 28 Apr 2009 15:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Tue, 28 Apr 2009 15:09:03 GMT) (full text, mbox, link).
Message #33 received at 514437@bugs.debian.org (full text, mbox, reply):
CVE-2009-0579 looks like a good candidate for a stable/old-stable
proposed update since it's not really a security issue, but it would be
good for the package to adhere to the administrator's desired policy.
please coordinate with the security team (team@securuty.debian.org) if
you plan to work on an spu/ospu.
best wishes,
mike
Reply sent
to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(Fri, 07 Aug 2009 10:24:15 GMT) (full text, mbox, link).
Notification sent
to Stefan Lienesch <lienesch.gag@ewetel.net>:
Bug acknowledged by developer.
(Fri, 07 Aug 2009 10:24:15 GMT) (full text, mbox, link).
Message #38 received at 514437-close@bugs.debian.org (full text, mbox, reply):
Source: pam
Source-Version: 1.0.1-10
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_1.0.1-10_amd64.deb
to pool/main/p/pam/libpam-cracklib_1.0.1-10_amd64.deb
libpam-doc_1.0.1-10_all.deb
to pool/main/p/pam/libpam-doc_1.0.1-10_all.deb
libpam-modules_1.0.1-10_amd64.deb
to pool/main/p/pam/libpam-modules_1.0.1-10_amd64.deb
libpam-runtime_1.0.1-10_all.deb
to pool/main/p/pam/libpam-runtime_1.0.1-10_all.deb
libpam0g-dev_1.0.1-10_amd64.deb
to pool/main/p/pam/libpam0g-dev_1.0.1-10_amd64.deb
libpam0g_1.0.1-10_amd64.deb
to pool/main/p/pam/libpam0g_1.0.1-10_amd64.deb
pam_1.0.1-10.diff.gz
to pool/main/p/pam/pam_1.0.1-10.diff.gz
pam_1.0.1-10.dsc
to pool/main/p/pam/pam_1.0.1-10.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 514437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 06 Aug 2009 17:54:32 +0100
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source all amd64
Version: 1.0.1-10
Distribution: unstable
Urgency: high
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
libpam-cracklib - PAM module to enable cracklib support
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 439268 514437 519927 520115 520785 521530 521874 524285
Changes:
pam (1.0.1-10) unstable; urgency=high
.
[ Steve Langasek ]
* Updated debconf translations:
- Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #520785)
- Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #521874)
- German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #521530)
- Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
(closes: #524285)
* When no profiles are chosen in pam-auth-update, throw an error message
and prompt again instead of letting the user end up with an insecure
system. This introduces a new debconf template. Closes: #519927,
LP: #410171.
.
[ Kees Cook ]
* Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes
for MINDAYS-Field regression (closes: #514437).
* debian/control: add missing misc:Depends for packages that need it.
.
[ Sam Hartman ]
* Remove conflicts information for transitions prior to woody release
* Fix lintian overrides for libpam-runtime
* Overrides for lintian finding quilt patches
* pam_mail-fix-quiet: patch from Andreas Henriksson
applied upstream to fix quiet option of pam_mail, Closes: #439268
.
[ Dustin Kirkland ]
* debian/patches/update-motd: run the update-motd scripts in pam_motd;
render update-motd obsolete, LP: #399071
.
[ Sam Hartman ]
* cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
(CVE-2009-0887) (Closes: #520115)
Checksums-Sha1:
a34c54b08bdbdb2b449fc4ea7f698c6a6544ca83 1476 pam_1.0.1-10.dsc
2352cfcab3b9dfd58288f689dd8185f6e25ff5c3 168757 pam_1.0.1-10.diff.gz
1c0f22a6142387a89fb61f0c64e3d2b365fb4472 185302 libpam-runtime_1.0.1-10_all.deb
82e4437148dd3eb0339f823efca1542f3a8936e3 290030 libpam-doc_1.0.1-10_all.deb
89593e28667fbd096a603e9aa671182a7b9e76dc 107424 libpam0g_1.0.1-10_amd64.deb
ba5ee564239ccc995c70dcd9e026ddf37b683acb 308352 libpam-modules_1.0.1-10_amd64.deb
91e97cfca222cbbf1759622f7f6e16a97aad0385 164620 libpam0g-dev_1.0.1-10_amd64.deb
3622324c43229759bdf46b08f6c99400f0c69c5f 67122 libpam-cracklib_1.0.1-10_amd64.deb
Checksums-Sha256:
524ad52a2cb21ef2d7d0b3e789502b6b018331d8762ea1b8fc2d1ad3c846893f 1476 pam_1.0.1-10.dsc
3a77a847b3047e953c21d20eac91fb5082abe2aaafbd60c3fa67b916b8a9541a 168757 pam_1.0.1-10.diff.gz
bcc1d318615ca39e42b3ff096d740269d98f767bf91ff0fa556d49ca39afd09c 185302 libpam-runtime_1.0.1-10_all.deb
f265f0f496c38f6090423dde359af0d94ffef70f316f46e91ceb3356d047d714 290030 libpam-doc_1.0.1-10_all.deb
d5550e7e11f46084c8f90f14cc270791dcdbb034bce72e565182923ed3fad85b 107424 libpam0g_1.0.1-10_amd64.deb
295ed8f48dd1d80f5c838d2832ee4277afb7ef5c34f154fd0a7003fabb71f8c5 308352 libpam-modules_1.0.1-10_amd64.deb
0e857df2a93516c824b32fd3a0d429b0ff60d9d4071f5c9aef6f9648de824aa5 164620 libpam0g-dev_1.0.1-10_amd64.deb
bf473afe6779e4abe1c5db16cea16c7624f147be97ca9bb98ac4c7654e32ed07 67122 libpam-cracklib_1.0.1-10_amd64.deb
Files:
e855122d140c1a44924fb54626054589 1476 libs optional pam_1.0.1-10.dsc
92722914c958c0a61b824ff3279a761c 168757 libs optional pam_1.0.1-10.diff.gz
fd6d366f7937cdcb815324567c7687e4 185302 admin required libpam-runtime_1.0.1-10_all.deb
1bb98d626982f15d37a2067fd5bbdf53 290030 doc optional libpam-doc_1.0.1-10_all.deb
dc49fdff0e24efdcc8e565b62313a4e5 107424 libs required libpam0g_1.0.1-10_amd64.deb
e8b87833baa1ab14e81cd07e1d625ab2 308352 admin required libpam-modules_1.0.1-10_amd64.deb
58844a1f9adfd79ee6418857b343fc2c 164620 libdevel optional libpam0g-dev_1.0.1-10_amd64.deb
d5b97024de0f82e6a0342c0a1ae4e6b5 67122 admin optional libpam-cracklib_1.0.1-10_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKe+8IKN6ufymYLloRAmILAKCsex73eImP7a223I7bL736aBJSxACeIncJ
4BG4q4uLjYnmhrb90deF6Ak=
=wLvA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 11 Sep 2009 07:54:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon