Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 25 Jun 2015 21:38:16 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: oss-security@...ts.openwall.com
Subject: Linux-PAM 1.2.1 released to address CVE-2015-3238

Hello,

The Linux-PAM project has released a new version to address
a security issue in the pam_unix module.

If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.

This bug may have security implications, e.g. allowing potential
attackers to conduct username enumeration and denial of service attacks.

We would like to thank Sebastien Macke of Trustwave SpiderLabs for
the original bug report and Red Hat security response team for
forwarding this issue.

The code implementing pam_exec expose_authtok option and
pam_unix_passwd.c had a similar issue but its security implications
are not obvious.

In the fix prepared by Tomas Mraz for this Linux-PAM release the
verifiable password length is limited to PAM_MAX_RESP_SIZE bytes
(i.e. 512 bytes).

An alternative approach to fix this issue (implemented in such modules
as pam_tcb) is to temporary ignore SIGPIPE and check for a failed/short
write.  This alternative was considered too complex for a security fix,
though, and the simpler fix was chosen.


-- 
ldv

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.