Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 493432 (CVE-2013-7041) - <sys-libs/pam-1.1.8-r3: password hashes aren't compared case-sensitively
Summary: <sys-libs/pam-1.1.8-r3: password hashes aren't compared case-sensitively
Status: RESOLVED FIXED
Alias: CVE-2013-7041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-06 11:00 UTC by Agostino Sarubbo
Modified: 2016-05-31 04:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pam-1.1.8-cve-2013-7041.patch (pam-1.1.8-cve-2013-7041.patch,1.93 KB, patch)
2014-07-29 06:43 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-06 11:00:36 UTC
From ${URL} :

It was found that in pam_userdb module for Pam, password hashes weren't compared case-sensitively, which 
could lead to acceptance of hashes for completely different passwords, which shouldn't be accepted.

After hashing the user's password with crypt(), pam_userdb compares the result to the stored hash 
case-insensitively with strncasecmp(), which should be avoided, as it could result in an increased 
possibility of a successful brute-force attack.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731368


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andrey Ovcharov 2014-07-29 06:43:34 UTC
Created attachment 381764 [details, diff]
pam-1.1.8-cve-2013-7041.patch
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:37:16 UTC
CVE-2013-7041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7041):
  The pam_userdb module for Pam uses a case-insensitive method to compare
  hashed passwords, which makes it easier for attackers to guess the password
  via a brute force attack.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-05 19:40:32 UTC
Upstream patch, https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=57a1e2b.

Red-Hat considering it a very low issues. 

Maintainers please advise what is your opinion on this?
Comment 4 SpanKY gentoo-dev 2015-05-17 03:17:35 UTC
should be all set now in the tree; thanks for the report!

Commit message: Fix from upstream for password case checks
http://sources.gentoo.org/sys-libs/pam/files/pam-1.1.8-CVE-2013-7041.patch?rev=1.1
http://sources.gentoo.org/sys-libs/pam/pam-1.1.8-r3.ebuild?rev=1.1
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-21 13:35:07 UTC
sys-libs/pam-1.1.8-r3 has been in tree for quite some time.

@arches, please stabilize.
Comment 6 SpanKY gentoo-dev 2016-02-21 17:44:03 UTC
pam-1.2.1 is already stable
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-13 12:40:03 UTC
Added to existing GLSA.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 04:53:33 UTC
This issue was resolved and addressed in
 GLSA 201605-05 at https://security.gentoo.org/glsa/201605-05
by GLSA coordinator Yury German (BlueKnight).