CVE request - Debian/Ubuntu PAM auth module selection

[Kees Cook <kees () ubuntu com>]

Hi,

I'd like to request a CVE for an issue that came up in the Debian and
Ubuntu configuration tools used on PAM.  From the USN
http://www.ubuntu.com/usn/usn-828-1:

 Russell Senior discovered that the system authentication module selection
 mechanism for PAM did not safely handle an empty selection. If an
 administrator had specifically removed the default list of modules or
 failed to chose a module when operating debconf in a very unlikely
 non-default configuration, PAM would allow any authentication attempt,
 which could lead to remote attackers gaining access to a system with
 arbitrary privileges. This did not affect default Ubuntu installations.

Also tracked as:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
https://bugs.launchpad.net/bugs/410171

This was a Debian and Ubuntu specific issue, and only Ubuntu had supported
releases with this flaw present (the issue never made it to Debian
stable).

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team