Debian Bug report logs -
#757555
pam: CVE-2014-2583 pam_timestamp directory traversal issues
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Sat, 9 Aug 2014 10:21:02 UTC
Severity: important
Tags: patch, security
Found in version pam/1.1.3-7
Fixed in version pam/1.1.8-3.1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#757555; Package src:pam.
(Sat, 09 Aug 2014 10:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>.
(Sat, 09 Aug 2014 10:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: src:pam
severity: important
version: 1.1.3-7
tags: security
Multiple directory traversal issues have been fixed in pam_timestap:
https://security-tracker.debian.org/tracker/CVE-2014-2583
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#757555; Package src:pam.
(Sun, 10 Aug 2014 01:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list.
(Sun, 10 Aug 2014 01:51:05 GMT) (full text, mbox, link).
Message #10 received at 757555@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Aug 09, 2014 at 06:19:00AM -0400, Michael Gilbert wrote:
> package: src:pam
> severity: important
> version: 1.1.3-7
> tags: security
> Multiple directory traversal issues have been fixed in pam_timestap:
> https://security-tracker.debian.org/tracker/CVE-2014-2583
Which according to elsewhere in my mailbox, you've dealt with by uploading a
10-day delayed NMU. This is unacceptable. The NMU process always requires
that you send your NMU diff to the BTS for review by the maintainer *first*.
When doing a delayed NMU, it's reasonable to send this diff to the BTS at
the same time. Here, you have failed to send this NMU diff at all, and the
only notification has been an easily-overlooked mail from the ftp-master
queue software.
Maintainers should not have to go grubbing around in the delayed queue to
find out what's been uploaded. The NMUer is responsible for sending the NMU
diff to the maintainer.
I have removed pam_1.1.3-8.1_amd64.changes from the delayed queue. If you
have changes that you would like to see included in this package, please
send them to the BTS where they belong.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#757555; Package src:pam.
(Sun, 10 Aug 2014 19:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Sun, 10 Aug 2014 19:27:09 GMT) (full text, mbox, link).
Message #15 received at 757555@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 patch
On Sat, Aug 9, 2014 at 9:46 PM, Steve Langasek wrote:
> Which according to elsewhere in my mailbox, you've dealt with by uploading a
> 10-day delayed NMU. This is unacceptable
Sorry for not getting the nmu mail out in a timely manner, but real
life got in the way.
What is not acceptable is the assumed bad faith and the misguided
attempt at public shaming (after only half a day) without considering
the possibility of RL events or other benign possibilities. A simple
"hey, what's going on with this thing I'm seeing in deferred" mail
directed at me would have been the kind thing to do.
> I have removed pam_1.1.3-8.1_amd64.changes from the delayed queue. If you
> have changes that you would like to see included in this package, please
> send them to the BTS where they belong.
The proposed patch is now attached. I plan to upload that to
delayed/5 after about a week or so to give you lots of additional time
for review (way more than the normal nmu process requires).
Best wishes,
Mike
[pam.patch (text/x-patch, attachment)]
Added tag(s) patch.
Request was from Michael Gilbert <mgilbert@debian.org>
to 757555-submit@bugs.debian.org.
(Sun, 10 Aug 2014 19:27:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#757555; Package src:pam.
(Fri, 15 Aug 2014 20:57:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>.
(Fri, 15 Aug 2014 20:57:18 GMT) (full text, mbox, link).
Message #22 received at 757555@bugs.debian.org (full text, mbox, reply):
control: tag -1 pending
Hi, I've uploaded the previously described nmu to delayed/10 now.
Please let me know if I should delay longer.
Best wishes,
Mike
Added tag(s) pending.
Request was from Michael Gilbert <mgilbert@debian.org>
to 757555-submit@bugs.debian.org.
(Fri, 15 Aug 2014 20:57:18 GMT) (full text, mbox, link).
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Mon, 25 Aug 2014 21:39:24 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Aug 2014 21:39:24 GMT) (full text, mbox, link).
Message #29 received at 757555-close@bugs.debian.org (full text, mbox, reply):
Source: pam
Source-Version: 1.1.8-3.1
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 757555@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Aug 2014 09:50:42 +0000
Source: pam
Binary: libpam0g libpam-modules libpam-modules-bin libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source amd64 all
Version: 1.1.8-3.1
Distribution: unstable
Urgency: high
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
libpam-cracklib - PAM module to enable cracklib support
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-modules-bin - Pluggable Authentication Modules for PAM - helper binaries
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 731368 757555
Changes:
pam (1.1.8-3.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2013-7041: case-insensitive comparison used for verifying
passwords in the pam_userdb module (closes: #731368).
* Fix CVE-2014-2583: multiple directory traversal issues in the
pam_timestamp module (closes: 757555)
Checksums-Sha1:
0b9b1b250c083d456b6ade1f07b37c71f705872a 3156 pam_1.1.8-3.1.dsc
76de8d48eb7c395915e2dad3269ea46ce7031ef4 132732 pam_1.1.8-3.1.diff.gz
52a0901a1127fb9050ef0967e15e03be28cbd59a 126372 libpam0g_1.1.8-3.1_amd64.deb
527359373a8de215f391f0c47feb6d174c79ed69 304834 libpam-modules_1.1.8-3.1_amd64.deb
c066fdcdb99c783012ae742c9908d6297916791c 103804 libpam-modules-bin_1.1.8-3.1_amd64.deb
6d60df4af5fc7b17f998eeade44fb8a2a7fdb007 212442 libpam-runtime_1.1.8-3.1_all.deb
72489c2f2fe8936e0cb8c0153c9a2420db2357ed 182246 libpam0g-dev_1.1.8-3.1_amd64.deb
f9336c1a644b6bb32539df80cd0f325b125663dd 85616 libpam-cracklib_1.1.8-3.1_amd64.deb
36100ec718302370a3cf37065799278ba19323db 279668 libpam-doc_1.1.8-3.1_all.deb
Checksums-Sha256:
bf18ebb78919f02c7cd5bfd335dde619fc01ae080e5d9acf0ef2660d55b85c8a 3156 pam_1.1.8-3.1.dsc
009875287331e91739c3eabf178216fe8dd138b42c092cb8704e4ba9cfb823ba 132732 pam_1.1.8-3.1.diff.gz
ffa721e781d7b03bf14e2058efcd728f36fda35cccf03da73209c1545b69224b 126372 libpam0g_1.1.8-3.1_amd64.deb
7577d8cf756e1b32bc89fb6d72cf301adf6ec69f48e08ffdfbfc8e9c9822a85d 304834 libpam-modules_1.1.8-3.1_amd64.deb
f765575dc38a4c6678efcc1d44c34595650c32c5500d31fcc9e868d9e71ba947 103804 libpam-modules-bin_1.1.8-3.1_amd64.deb
8ed4e0bfe030fc7a2a193d3009754266b19778f260d8973ca544c120a070869a 212442 libpam-runtime_1.1.8-3.1_all.deb
20207ee390a5aaaa934a5287fe3fac3097e284954f57ed5074ea8a94d43e1a34 182246 libpam0g-dev_1.1.8-3.1_amd64.deb
9569174e1e813bb4235693f3d633d7c216cfc45b0a8a230824301ef8bdaa74ed 85616 libpam-cracklib_1.1.8-3.1_amd64.deb
2a949699e7babf886d86d4c13a78d07dbe2e5a50bb6d83c541be90b1d49825c7 279668 libpam-doc_1.1.8-3.1_all.deb
Files:
2569d182360692c5fdb14456820ffcd8 126372 libs required libpam0g_1.1.8-3.1_amd64.deb
04924d09732d1503874b6a0c70b339e1 304834 admin required libpam-modules_1.1.8-3.1_amd64.deb
8bc16196c62a6c936f92b3c54a975200 103804 admin required libpam-modules-bin_1.1.8-3.1_amd64.deb
d00a0e0bba32c12916a50218b5b7789c 212442 admin required libpam-runtime_1.1.8-3.1_all.deb
d38738be71623cab3a4dabae8670a723 182246 libdevel optional libpam0g-dev_1.1.8-3.1_amd64.deb
3ba7be8de05d96bacf3415931b4c0abe 85616 admin optional libpam-cracklib_1.1.8-3.1_amd64.deb
aca3f3eba09d7244c57c9c6f14d9fcf1 279668 doc optional libpam-doc_1.1.8-3.1_all.deb
5a8b8c368bf26dae6bcb395be112bce6 3156 libs optional pam_1.1.8-3.1.dsc
a75e5526a58384ea2496adad648884fd 132732 libs optional pam_1.1.8-3.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQQcBAEBCgAGBQJT5f35AAoJELjWss0C1vRztuYf/R1sEDgUEXIedBi8mDdhgNv+
nx9mSRWCKD9aQoREhNWXFiNukQdHGNQSSDsVTnFE5XC1SYHLJqrDkNJlZb7DchYf
fGJ5QmEzCdCerVV9BgAZeMi1kn4b6T8xQEEDS19cXueweoXowfKPZr3mK5mfSoIr
8hvZE9KghBojJ+mnuHhkK9V2RDdEPlKP8ypmTXdRXLFZtbNovla5mBrzKu/6B7zm
0YQgRBLfyORSPcfFAuqRaDsPmt+nCU7iKRvNwmht5lJt9z8JbYsdHJu4+4Ng4jwN
5Gj6vL7MHKnZ39aWGhmoMqJEyCKsHk7HIMejMupaNVcpwIFLDX1C3L7+s5YGjIdt
Bdf5Ud66EEcQRU4adFGFZlUNv+v1TUWe8GUia4rsEhSjROpBxNNgGgKCkeJdMC3R
ZNb1uc+jvgf0fZWe0Q+XRcJk4FD4zShLLm0aaW2GMR2yICmRyItae+RkYpPPo2Op
sdV5jwh4pP0uMo52XXnkTrBjyaJIXYKNUWacGYlcNy9DlGny0rGgt1102QK7qDoX
Yl0wX2M1GmVUe1Q/3a2rWkm4pPaolywdlcL4RkGzcecx4re/cMOrBuub1UZhKbBu
ZGoyChQCUytmV4sBJXFFGkGiDAi2kcj+NKlRaIV/Un8cIAEsFkkyXUmFEkpjEwst
/o/ZOykl0W5DpflRyETCvEAPlZY14VNULtmvQ5+uwoj3o2gTR2wPPWyjDtMpYD2E
6wySAD1HJnLzRGZXPzUzGGTAn4DR80QR2p/3SDSKv5cRExE+grkPo25SVBe4Vln6
Y196zE68qeR6xNXzopx7j4ozVd4qR+LvMI7e/XCibXV4zSphLRD5nJCGwbD8ItfF
oyYlGGtEBWCad1RrcC6uXHeOOUakfvL/rsI6QVBQx9LTyxJGn6JtjtPdyl4KzMxb
n1IEigKytedjG+EKc175YZXk8Wr4rESlrAbrnwVRyMyE2Fw1WJLFGbRjhdr2OHaJ
O7Z5txLzGTF6dE69PZZdWq0xkzuwX/Kp6U+AOk7trSS4UcvPpHZ2GETJOZkVyS7V
5L1FjuKfnd9LEf5kFRKRu9Xc4zjkVdeWyreBXQ5RWKA82hMKAw1GWPPg8A/sIrit
Sij9gA++mPwUmOyH2rtPKpNBD6ztYx5voPZ4aRCjj6Mm8vMuVAR3LIMN3ZSYHauw
gUbdSr8ux3JqKJ5e2KXHq4HRhHiZXmcHrQAwgzGe+SX/tkFP482D1d+A92M8D5sO
lpUQZQ6GsTqZijMXJ7L7q3YQhzTuZM/ci0jTzONOe5V2BQy4lQj+HiG5qxhEwc4c
LmjUj7nhWKOYMEmTR59Hzg1fneXlL1yLxYnjvzDwGj6tykQYrBN4EChdl+cpB4g=
=qXbc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 25 Sep 2014 07:32:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:39 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon