Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 493432 (CVE-2013-7041)

Summary: <sys-libs/pam-1.1.8-r3: password hashes aren't compared case-sensitively
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: pam-bugs+disabled, sudormrfhalt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1038555
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pam-1.1.8-cve-2013-7041.patch none

Description Agostino Sarubbo gentoo-dev 2013-12-06 11:00:36 UTC 
From ${URL} :

It was found that in pam_userdb module for Pam, password hashes weren't compared case-sensitively, which 
could lead to acceptance of hashes for completely different passwords, which shouldn't be accepted.

After hashing the user's password with crypt(), pam_userdb compares the result to the stored hash 
case-insensitively with strncasecmp(), which should be avoided, as it could result in an increased 
possibility of a successful brute-force attack.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731368


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andrey Ovcharov 2014-07-29 06:43:34 UTC 
Created attachment 381764 [details, diff]
pam-1.1.8-cve-2013-7041.patch
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:37:16 UTC 
CVE-2013-7041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7041):
  The pam_userdb module for Pam uses a case-insensitive method to compare
  hashed passwords, which makes it easier for attackers to guess the password
  via a brute force attack.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 19:40:32 UTC 
Upstream patch, https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=57a1e2b.

Red-Hat considering it a very low issues. 

Maintainers please advise what is your opinion on this?
Comment 4 SpanKY gentoo-dev 2015-05-17 03:17:35 UTC 
should be all set now in the tree; thanks for the report!

Commit message: Fix from upstream for password case checks
http://sources.gentoo.org/sys-libs/pam/files/pam-1.1.8-CVE-2013-7041.patch?rev=1.1
http://sources.gentoo.org/sys-libs/pam/pam-1.1.8-r3.ebuild?rev=1.1
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-21 13:35:07 UTC 
sys-libs/pam-1.1.8-r3 has been in tree for quite some time.

@arches, please stabilize.
Comment 6 SpanKY gentoo-dev 2016-02-21 17:44:03 UTC 
pam-1.2.1 is already stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-13 12:40:03 UTC 
Added to existing GLSA.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-03-31 06:18:32 UTC 
Cleanup complete:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0819b4caa858b34434c1d21217ffea94d76215b
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 04:53:33 UTC 
This issue was resolved and addressed in
 GLSA 201605-05 at https://security.gentoo.org/glsa/201605-05
by GLSA coordinator Yury German (BlueKnight).