Integer Signedness Error in Linux-PAM Affects User Authentication
CVE-2009-0887

Currently unrated

Key Information:

Vendor: Linux-pam
Status: Linux-pam
Vendor: CVE Published:; 12 March 2009

What is CVE-2009-0887?

An integer signedness error exists in the _pam_StrTok function of Linux-PAM versions up to 1.0.3. This vulnerability is triggered when configuration files include non-ASCII usernames, potentially allowing remote attackers to induce a denial of service. Furthermore, authenticated users could exploit this flaw to gain access using another user's non-ASCII username, compromising account security and integrity.

References

http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpa...

x_refsource_CONFIRM

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

http://openwall.com/lists/oss-security/2009/03/05/1

mailing-listx_refsource_MLIST

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2009
Vulnerability Reserved
Mar 12, 2009

Linux-pam

What is CVE-2009-0887?

References

Timeline