CVE-2009-0887 — Linux-pam vulnerability

CWE-1899 documents7 sources

Severity

6.6MEDIUMNVD

EPSS

0.2%

top 56.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PAM Debian PAM Linux-pam

Timeline

PublishedMar 12

Latest updateMay 2

Description

Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 2.7 | Impact: 10.0

Affected Packages3 packages

▶NVDlinux-pam/linux-pam1.0.3+19

▶debiandebian/pam< pam 1.0.1-10 (bookworm)

▶Debianpam/pam< 1.0.1-10+3

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-p45g-44mp-mq74: Integer signedness error in the _pam_StrTok function in libpam/pam_misc↗2022-05-02

▶

OSV

CVE-2009-0887: Integer signedness error in the _pam_StrTok function in libpam/pam_misc↗2009-03-12

▶

📋Vendor Advisories

Ubuntu

PAM regression↗2011-05-31

▶

Ubuntu

PAM vulnerabilities↗2011-05-30

▶

Red Hat

pam: integer signedness error in _pam_StrTok()↗2009-02-25

▶

Debian

CVE-2009-0887: pam - Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Lin...↗2009

▶

💬Community

Bugzilla

CVE-2009-1213 bugzilla: CSRF vulnerability in attachment editing↗2009-04-06

▶

Bugzilla

CVE-2009-0887 pam: integer signedness error in _pam_StrTok()↗2009-03-12

▶