CVE-2006-5170

pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.

Weakness

The product does not handle or incorrectly handles an exceptional condition.

Affected Software

Name	Vendor	Start Version	End Version
Fedora_core	Fedoraproject	*	core_3.0 (including)
Enterprise_linux	Redhat	4.0 (including)	4.0 (including)
Libpam-ldap	Ubuntu	dapper	*
Libpam-ldap	Ubuntu	devel	*
Libpam-ldap	Ubuntu	edgy	*
Libpam-ldap	Ubuntu	feisty	*
Red Hat Enterprise Linux 4	RedHat	nss_ldap-0:226-17	*

References

http://bugzilla.padl.com/show_bug.cgi?id=291
http://rhn.redhat.com/errata/RHSA-2006-0719.html
http://secunia.com/advisories/22682
http://secunia.com/advisories/22685
http://secunia.com/advisories/22694
http://secunia.com/advisories/22696
http://secunia.com/advisories/22869
http://secunia.com/advisories/23132
http://secunia.com/advisories/23428
http://security.gentoo.org/glsa/glsa-200612-19.xml
http://securitytracker.com/id?1017153
http://www.debian.org/security/2006/dsa-1203
http://www.mandriva.com/security/advisories?name=MDKSA-2006:201
http://www.novell.com/linux/security/advisories/2006_27_sr.html
http://www.securityfocus.com/archive/1/447859/100/200/threaded
http://www.securityfocus.com/bid/20880
http://www.trustix.org/errata/2006/0061/
http://www.vupen.com/english/advisories/2006/4319
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207286
https://issues.rpath.com/browse/RPL-680
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10418

NVD	https://nvd.nist.gov/vuln/detail/CVE-2006-5170
CWE	https://cwe.mitre.org/data/definitions/755.html

Improper Handling of Exceptional Conditions

Weakness

Affected Software

References