Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 482588 (CVE-2013-4285) - <sys-auth/pam_skey-1.1.5-r5: pam_skey.so does not erase cleartext passwords from memory (CVE-2013-4285)
Summary: <sys-auth/pam_skey-1.1.5-r5: pam_skey.so does not erase cleartext passwords f...
Status: RESOLVED FIXED
Alias: CVE-2013-4285
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-26 18:46 UTC by Ulrich Müller
Modified: 2014-02-09 11:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
files/05_all_delete_response.patch (05_all_delete_response.patch,504 bytes, patch)
2013-08-26 20:50 UTC, Ulrich Müller
no flags Details | Diff
pam_skey-1.1.5-r5.ebuild (pam_skey-1.1.5-r5.ebuild,1.68 KB, text/plain)
2013-08-26 20:56 UTC, Ulrich Müller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2013-08-26 18:46:31 UTC
The pam_skey.so module uses the pam_set_item() function to pass an authentication token (i.e., a password typed by the user) to the next stacked PAM module. However, in two places in the code it fails to erase the password string afterwards, so that it will stay as cleartext in memory.

As far as I can see, the bug doesn't occur in the upstream version, but was introduced with the patch from bug 55279 comment #4 or <http://dchurch.ath.cx/pam_skey-1.1.3-gentoo-r1.patch.bz2>, so it should affect the Gentoo version only.

A fix is ready and tested locally. Please advise how I shall proceed.
Comment 1 Ulrich Müller gentoo-dev 2013-08-26 20:50:41 UTC
Created attachment 357114 [details, diff]
files/05_all_delete_response.patch

Attached patch should fix all such information leaks.
Comment 2 Ulrich Müller gentoo-dev 2013-08-26 20:56:33 UTC
Created attachment 357116 [details]
pam_skey-1.1.5-r5.ebuild
Comment 3 Ulrich Müller gentoo-dev 2013-08-26 20:59:41 UTC
CCing arches, can you test attached ebuild and patch on amd64 and x86 please?
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-26 21:22:34 UTC
(In reply to Ulrich Müller from comment #3)
> CCing arches, can you test attached ebuild and patch on amd64 and x86 please?

It is fine here. Please commit as stable.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-08-26 22:43:45 UTC
CVE requested via the distros list.
Arches, thanks.
Waiting for CRD.
Comment 6 Ulrich Müller gentoo-dev 2013-08-28 06:04:34 UTC
pam_skey-1.1.5-r5 committed to CVS.
Vulnerable versions removed.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-08-28 09:55:55 UTC
This issue is now public.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-02-09 11:24:36 UTC
This issue was resolved and addressed in
 GLSA 201402-12 at http://security.gentoo.org/glsa/glsa-201402-12.xml
by GLSA coordinator Alex Legler (a3li).