Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493432 (CVE-2013-7041) - <sys-libs/pam-1.1.8-r3: password hashes aren't compared case-sensitively
Summary: <sys-libs/pam-1.1.8-r3: password hashes aren't compared case-sensitively
Alias: CVE-2013-7041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2013-12-06 11:00 UTC by Agostino Sarubbo
Modified: 2016-05-31 04:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

pam-1.1.8-cve-2013-7041.patch (pam-1.1.8-cve-2013-7041.patch,1.93 KB, patch)
2014-07-29 06:43 UTC, Andrey Ovcharov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-06 11:00:36 UTC
From ${URL} :

It was found that in pam_userdb module for Pam, password hashes weren't compared case-sensitively, which 
could lead to acceptance of hashes for completely different passwords, which shouldn't be accepted.

After hashing the user's password with crypt(), pam_userdb compares the result to the stored hash 
case-insensitively with strncasecmp(), which should be avoided, as it could result in an increased 
possibility of a successful brute-force attack.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andrey Ovcharov 2014-07-29 06:43:34 UTC
Created attachment 381764 [details, diff]
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:37:16 UTC
CVE-2013-7041 (
  The pam_userdb module for Pam uses a case-insensitive method to compare
  hashed passwords, which makes it easier for attackers to guess the password
  via a brute force attack.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 19:40:32 UTC
Upstream patch,

Red-Hat considering it a very low issues. 

Maintainers please advise what is your opinion on this?
Comment 4 SpanKY gentoo-dev 2015-05-17 03:17:35 UTC
should be all set now in the tree; thanks for the report!

Commit message: Fix from upstream for password case checks
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-21 13:35:07 UTC
sys-libs/pam-1.1.8-r3 has been in tree for quite some time.

@arches, please stabilize.
Comment 6 SpanKY gentoo-dev 2016-02-21 17:44:03 UTC
pam-1.2.1 is already stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-13 12:40:03 UTC
Added to existing GLSA.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-03-31 06:18:32 UTC
Cleanup complete:
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 04:53:33 UTC
This issue was resolved and addressed in
 GLSA 201605-05 at
by GLSA coordinator Yury German (BlueKnight).