[Pkg-giraffe-maintainers] Bug#1016973: kopanocore: CVE-2022-26562

Andreas Rönnquist gusnan at debian.org
Thu Aug 11 15:45:06 BST 2022


To me it looks like the pam authenticator check miss a check with
pam_acct_mgmt in addition to the pam_authenticate that is already
there, see the attached patch.

myproxy has similar code, and does a similar thing here:

https://sources.debian.org/src/myproxy/6.2.14-2/auth_pam.c/?hl=227#L227

(It checks first with pam_authenticate(), then with pam_acct_mgmt(),
and would fail if account or password is expired).

-- Andreas Rönnquist
gusnan at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2022-26562-Check-account-validation-in-addition-to-au.patch
Type: text/x-patch
Size: 1009 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-giraffe-maintainers/attachments/20220811/b3c4491e/attachment.bin>


More information about the Pkg-giraffe-maintainers mailing list