Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553302 (CVE-2015-3238) - <sys-libs/pam-1.2.1: username enumeration and denial of service attack (CVE-2015-3238)
Summary: <sys-libs/pam-1.2.1: username enumeration and denial of service attack (CVE-2...
Alias: CVE-2015-3238
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Reported: 2015-06-26 09:27 UTC by Agostino Sarubbo
Modified: 2016-05-31 04:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-26 09:27:33 UTC
From ${URL} :

The Linux-PAM project has released a new version to address
a security issue in the pam_unix module.

If the process executing pam_sm_authenticate or pam_sm_chauthtok method
of pam_unix is not privileged enough to check the password, e.g.
if selinux is enabled, the _unix_run_helper_binary function is called.
When a long enough password is supplied (16 pages or more, i.e. 65536+
bytes on a system with 4K pages), this helper function hangs
indefinitely, blocked in the write(2) call while writing to a blocking
pipe that has a limited capacity.

This bug may have security implications, e.g. allowing potential
attackers to conduct username enumeration and denial of service attacks.

We would like to thank Sebastien Macke of Trustwave SpiderLabs for
the original bug report and Red Hat security response team for
forwarding this issue.

The code implementing pam_exec expose_authtok option and
pam_unix_passwd.c had a similar issue but its security implications
are not obvious.

In the fix prepared by Tomas Mraz for this Linux-PAM release the
verifiable password length is limited to PAM_MAX_RESP_SIZE bytes
(i.e. 512 bytes).

An alternative approach to fix this issue (implemented in such modules
as pam_tcb) is to temporary ignore SIGPIPE and check for a failed/short
write.  This alternative was considered too complex for a security fix,
though, and the simpler fix was chosen.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-07-07 07:38:26 UTC
Commit message: Version bump
Comment 2 SpanKY gentoo-dev 2015-07-07 07:40:25 UTC
pam-1.2.0 has been in the tree for over 30 days and i haven't seen any regression reports.  1.2.1 only fixes the security issues over 1.2.0, so that bump doesn't matter.

it would be nice if 1.2.x could bake longer, but oh well.  should be fine to stabilize 1.2.1 i think.
Comment 3 SpanKY gentoo-dev 2015-07-13 05:01:37 UTC
note: stabilize 1.2.1 and not 1.2.1-r1
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-13 18:15:49 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-14 06:19:00 UTC
Stable for PPC64.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 18:25:47 UTC
Stable on alpha.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-15 04:43:33 UTC
Stable for HPPA.
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-15 16:15:36 UTC
x86 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 09:24:29 UTC
ia64 stable
Comment 10 Markus Meier gentoo-dev 2015-07-17 19:58:51 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-07-23 09:02:44 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-07-23 09:38:58 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 14:30:18 UTC
Maintainer(s), Thank you for you for cleanup.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-10-10 02:44:20 UTC
It has been 30 days+ since cleanup requested.
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 19:45:04 UTC
Can we please clean this up? We have all these versions available:

Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2016-05-31 04:57:25 UTC
This issue was resolved and addressed in
 GLSA 201605-05 at
by GLSA coordinator Yury German (BlueKnight).