Supplying a password containing a NULL-byte to the PyPAM module, a double-free 
condition is triggered. This leads to undefined behavior and may allow
remote code execution.
Filtering NULL-bytes in strings before passing them to the PyPAM module
will mitigate the exploit. Also current GLIBC protections may prevent
the double-free condition from being exploitable. It is advised to update
to a fixed version of PyPAM.
Thanks to Marien Zwart for the help in reviewing the code and work for a patch.
Created attachment 304769 [details, diff]
slightly more careful patch
A slightly more careful/paranoid patch than nulling out *resp on errors: just leave it untouched completely. This is what pam_conv(3) says we should do.
I suspect this code has other refcounting/memory-management issues (leaks), and its upstream homepage seems to have gone away. Do we need to keep this?
Double free vulnerability in the PyPAM_conv in PAMmodule.c in PyPam 0.5.0
and earlier allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a NULL byte in a
mrueg points out http://pkgs.fedoraproject.org/cgit/PyPAM.git/ has additional patches.
Their PyPAM-0.5.0-dealloc.patch is our pypam-0.5.0-python-2.5.patch (PyoObject_FREE and PyObject_Del do the same thing) with one extra fix.
Their PyPAM-0.5.0-memory-errors.patch fixes the same problem my patch on this bug fixes, as well as several others (I did not review it in detail but superficially the changes look good).
I don't know exactly what PyPAM-0.5.0-nofree.patch and PyPAM-0.5.0-return-value.patch fix (can probably be found in their revision history).
PyPAM-dlopen.patch looks sensible but not normally necessary for us.
PyPAM-python3-support.patch I didn't look at.
Applying at least "dealloc" and "memory-errors" and probably also "nofree" and "memory-errors" sounds like a good idea.
*pypam-0.5.0-r3 (13 Jun 2015)
13 Jun 2015; Manuel Rüger <firstname.lastname@example.org> +files/PyPAM-0.5.0-dealloc.patch,
Apply patches from Fedora fixing security bug #407603 and add support for
files/PyPAM-0.5.0-memory-errors.patch fixes this CVE.
Arch teams: Please get it stable.
Security: Please prepare a GLSA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
+ 17 Jun 2015; Justin Lecher <email@example.com>
+ -files/pypam-0.5.0-python-2.5.patch, -pypam-0.5.0-r2.ebuild:
+ Drop vulnerable version
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
This issue was resolved and addressed in
GLSA 201507-09 at https://security.gentoo.org/glsa/201507-09
by GLSA coordinator Mikle Kolyada (Zlogene).