Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 270326 (CVE-2008-6792) - <app-admin/system-tools-backends-2.6.1-r1 creates users with 3DES passwords if SHA* is set (CVE-2008-6792)
Summary: <app-admin/system-tools-backends-2.6.1-r1 creates users with 3DES passwords i...
Status: RESOLVED FIXED
Alias: CVE-2008-6792
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://launchpad.net/bugs/287134
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-18 17:22 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-23 22:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 17:22:47 UTC 
CVE-2008-6792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6792):
  system-tools-backends before 2.6.0-1ubuntu1.1 in Ubuntu 8.10, as used
  by "Users and Groups" in GNOME System Tools, hashes account passwords
  with 3DES and consequently limits effective password lengths to eight
  characters, which makes it easier for context-dependent attackers to
  successfully conduct brute-force password attacks.
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2009-07-23 22:14:16 UTC 
in 2.6.1-r1. Thanks for pointing out a patch.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 22:26:44 UTC 
Thanks!

I have send the patch upstream twice, with no reaction. If they become active and release again, please try to follow-up about the patch inclusion.

As this package is p.masked, the bug can be closed. Note to drop stable keywords on the 1.4 when unmasking, otherwise the vulnerability is reintroduced into stable.
Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev 2009-07-23 22:44:55 UTC 
Actually I'm thinking of trying to get write access so we can push our big stack of patches. And 1.4 won't be unmask, it's too old so it'll be killed whenever I unmask what's necessary for gnome-system-tools.