1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200501-22 / poppassd_pam |
| Release Date | January 11, 2005 |
| Latest Revision | January 11, 2005: 01 |
| Impact | high |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-mail/poppassd_ceti | <= 1.0 | >= 1.8.4 | All supported architectures |
| net-mail/poppassd_pam | <= 1.0 | All supported architectures |
Related bugreports: #75820
poppassd_pam allows anyone to change any user's password without authenticating the user first.
poppassd_pam is a PAM-enabled server for changing system passwords that can be used to change POP server passwords.
Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Our investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.
A remote attacker could change the system password of any user, including root. This leads to a complete compromise of the POP accounts, and may also lead to a complete root compromise of the affected server, if it also provides shell access authenticated using system passwords.
There is no known workaround at this time.
All poppassd_pam users should migrate to the new package called poppassd_ceti:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4" |
Note: Portage will automatically replace the poppassd_pam package by the poppassd_ceti package.