Marking this bug as a security vulnerability - looked manually at the source package for Quetzal (the affected line is still there) and tested crypt's erratic behaviour with "perl -e 'print crypt("testpassword", "")'" (returns an empty string as described).
Also marking the bug private for the moment. ** Visibility changed to: Private ** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/943507 Title: libpam-mysql lets you log in with any password when crypt=1 is set and the password field contains an empty string in the user record. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/943507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs