Commit 5f0d8c57 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/pam-pgsql: fix CVE-2013-0191

fixes #1605
parent 085280c5
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pam-pgsql
pkgver=0.7.3.1
pkgrel=1
pkgrel=2
pkgdesc="PAM module to authenticate using a PostgreSQL database"
url="http://sourceforge.net/projects/pam-pgsql/"
arch="all"
......@@ -12,7 +12,8 @@ depends_dev=""
makedepends="$depends_dev linux-pam-dev postgresql-dev libgcrypt-dev"
install=""
subpackages="$pkgname-doc"
source="http://downloads.sourceforge.net/project/pam-pgsql/pam-pgsql/0.7/pam-pgsql-$pkgver.tar.gz"
source="http://downloads.sourceforge.net/project/pam-pgsql/pam-pgsql/0.7/pam-pgsql-$pkgver.tar.gz
CVE-2013-0191.patch"
_builddir="$srcdir"/pam-pgsql-$pkgver
prepare() {
......@@ -39,4 +40,5 @@ package() {
|| return 1
}
md5sums="16cb40a16ee1f286906a0d5a90254731 pam-pgsql-0.7.3.1.tar.gz"
md5sums="16cb40a16ee1f286906a0d5a90254731 pam-pgsql-0.7.3.1.tar.gz
4a8640edb8eaee4456fa91ad8c22ab7f CVE-2013-0191.patch"
--- ./src/backend_pgsql.c.orig 2013-02-07 13:06:48.982679657 +0000
+++ ./src/backend_pgsql.c 2013-02-07 13:09:00.973830056 +0000
@@ -258,7 +258,7 @@
if(pg_execParam(conn, &res, options->query_auth, service, user, passwd, rhost) == PAM_SUCCESS) {
if(PQntuples(res) == 0) {
rc = PAM_USER_UNKNOWN;
- } else {
+ } else if (!PQgetisnull(res, 0, 0)) {
char *stored_pw = PQgetvalue(res, 0, 0);
if (!strcmp(stored_pw, (tmp = password_encrypt(options, user, passwd, stored_pw)))) rc = PAM_SUCCESS;
free (tmp);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment