Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0887 to the following vulnerability: Name: CVE-2009-0887 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887 Assigned: 20090312 Reference: MLIST:[oss-security] 20090305 CVE Request -- pam Reference: URL: http://openwall.com/lists/oss-security/2009/03/05/1 Reference: CONFIRM: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?r1=1.9&r2=1.10&view=patch Reference: CONFIRM: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?view=log Reference: BID:34010 Reference: URL: http://www.securityfocus.com/bid/34010 Reference: XF:linuxpam-pamstrtok-priv-escalation(49110) Reference: URL: http://xforce.iss.net/xforce/xfdb/49110 Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt.
It is very questionable whether this problem is even a security vulnerability. As the attacker cannot manipulate the configuration files it would basically require a misconfiguration of pam for the attack to be possible.
pam-1.0.4-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-2.fc9
pam-1.0.4-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/pam-1.0.4-2.fc10
pam-1.0.4-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-3.fc9
pam-1.0.4-4.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc9
pam-1.0.4-4.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/pam-1.0.4-4.fc10
pam-1.0.4-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
pam-1.0.4-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Closing not-a-security-bug based on comment #1. Statement: Red Hat does not consider this issue to be a security vulnerability. Affected function is only used to parse PAM configuration files and this bug can only be triggered by specific configuration created by the system administrator.