The pam_skey.so module uses the pam_set_item() function to pass an authentication token (i.e., a password typed by the user) to the next stacked PAM module. However, in two places in the code it fails to erase the password string afterwards, so that it will stay as cleartext in memory.
As far as I can see, the bug doesn't occur in the upstream version, but was introduced with the patch from bug 55279 comment #4 or <http://dchurch.ath.cx/pam_skey-1.1.3-gentoo-r1.patch.bz2>, so it should affect the Gentoo version only.
A fix is ready and tested locally. Please advise how I shall proceed.
Created attachment 357114 [details, diff]
Attached patch should fix all such information leaks.
Created attachment 357116 [details]
CCing arches, can you test attached ebuild and patch on amd64 and x86 please?
(In reply to Ulrich Müller from comment #3)
> CCing arches, can you test attached ebuild and patch on amd64 and x86 please?
It is fine here. Please commit as stable.
CVE requested via the distros list.
Waiting for CRD.
pam_skey-1.1.5-r5 committed to CVS.
Vulnerable versions removed.
This issue is now public.
This issue was resolved and addressed in
GLSA 201402-12 at http://security.gentoo.org/glsa/glsa-201402-12.xml
by GLSA coordinator Alex Legler (a3li).