[Secure-testing-team] Bug#498236: libpam-modules: Login incorrect message after entering non-existent login name

Roberto Lumbreras rover at debian.org
Mon Sep 8 11:50:19 UTC 2008

Package: libpam-modules
Severity: grave
Tags: security
Justification: user security hole

In the console login prompt entering a non-existent login you get
a "Login incorrect" message WITHOUT being asked for any password.

This is a serious security hole, because pam are revealing information
about the accounts there are in the system.

Version 1.0.1 of the pam packages seem to have the same problem.

Roberto Lumbreras

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-modules depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries
ii  libdb4.6                      4.6.21-8   Berkeley v4.6 Database Libraries [
ii  libpam0g             Pluggable Authentication Modules l
ii  libselinux1                   2.0.59-1   SELinux shared libraries

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list