Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261108 (CVE-2009-0579) - <sys-libs/pam-1.0.4 MINDAYS not respected by pam for password changing (CVE-2009-0579)
Summary: <sys-libs/pam-1.0.4 MINDAYS not respected by pam for password changing (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2009-0579
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 261167
Blocks: CVE-2009-0887
  Show dependency tree
 
Reported: 2009-03-03 20:59 UTC by Robert Buchholz (RETIRED)
Modified: 2009-06-24 16:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 20:59:26 UTC
Vincent Danen wrote:
An issue dealing with password changes, with respect to the MINDAYS field in
/etc/shadow was reported on the Debian BTS
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437) that affects all
versions of PAM 1.x.  Because of this, if an administrative user sets the
password minimum days via chage or passwd, /etc/shadow is updated correctly,
but PAM allows the user to change their password with no regard for the MINDAYS
setting, effectively allowing them to re-use old passwords immediately and
disregard any established password policies that should be enforced.

This is due to the fact that no minimum age password checks are done by PAM in
1.x; in the old versions it was done in _unix_verify_shadow() by checking the
value of of sp_min.  In newer PAM this check is no longer there.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-03-03 21:09:00 UTC
sys-libs/pam-1.0.4 is in the tree.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 21:10:54 UTC
Arches, please test and mark stable:
=sys-libs/pam-1.0.4
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2009-03-04 14:45:08 UTC
I do not thing pam-1.0.4 builds with stable libtool-1.5.26 (at least, on two different sparc systems and amd64 it doesn't build for me, but pam-1.0.1 is OK (as was -1.0.3 while it was around)).

For example,
/bin/sh ../libtool --tag=CC   --mode=compile sparc-unknown-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I..    -DDEFAULT_MODULE_PATH=\"/lib/security/\" -DLIBPAM_COMPILE -I./include  -DPAM_VERSION=\"1.0.4\"  -mcpu=ultrasparc -mtune=ultrasparc -O2 -pipe -D__GLX_ALIGN64 -W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Wmissing-declarations -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes -Wwrite-strings -Winline -Wshadow -c -o pam_account.lo pam_account.c

Followed by a lot of trash:
===================================
../libtool: line 848: X--tag=CC: command not found
../libtool: line 881: libtool: ignoring unknown tag : command not found
../libtool: line 848: X--mode=compile: command not found
../libtool: line 1015: *** Warning: inferring the mode of operation is deprecated.: command not found
../libtool: line 1016: *** Future versions of Libtool will require --mode=MODE be specified.: command not found
../libtool: line 1159: Xsparc-unknown-linux-gnu-gcc: command not found
=============================

This seems to me to be pretty much a show stopper.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-03-04 14:46:49 UTC
Bug #261167, Peter (loki_val) fixed it a few minutes ago.

Sorry for having missed it before!
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2009-03-04 16:31:54 UTC
Thanks, that fixes it.  Now, I see a failure on two sparc systems:
FAIL: tst-pam_mkargv

The problem comes as follows:  This test checks output:

argvlen=185, argc=4, argv[0]=user, argv[1]==, argv[2]=XENDT\userα, argv[3]=user=XENDT\user1

Now, argc and the four argv[] values are correct, but the program wants argvlen=333.

This test is invalid, because argvlen = (1 + sizeof(argv))*(sizeof(char) + sizeof(char*))
and this is 333 when sizeof(char*) == 8.  But on sparc it is not 8; it is 4.  So I think pal-1.0.4 is probably good, but this test is not.  I double-checked all this with this little test:
================================
#include <stdio.h>
int main (void) {
        char * s = "user = XENDT\\userα user=XENDT\\user1";
        int l, c, p, t;
        l = strlen(s);
        c = sizeof(char);
        p = sizeof(char *);
        t = (l + 1) * (c + p);
        printf("s=%s, len=%d, csz=%d, ptsz=%d, total=%d\n",s,l,c,p,t);
        return 0;
}
========================

Please advise.  (I'm willing to keyword pam based on this, but I do not like that test.)
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-03-04 16:48:33 UTC
ppc64 done
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-03-05 15:21:09 UTC
I've added a patch to fix the test on 32-bit systems. Upstream bug was already opened, but I also submitted the patch upstream. This should do it.
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2009-03-05 16:11:59 UTC
(In reply to comment #8)
> I've added a patch to fix the test on 32-bit systems. Upstream bug was already
> opened, but I also submitted the patch upstream. This should do it.
> 

That got it, thanks.  Sparc stable, all tests now pass, and it works on my systems.
Comment 10 Jeroen Roovers gentoo-dev 2009-03-05 22:09:54 UTC
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-03-06 19:12:25 UTC
alpha/arm/ia64/s390/sh/x86 stable
Comment 12 Markus Meier gentoo-dev 2009-03-07 14:29:31 UTC
amd64 stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-03-18 19:23:54 UTC
ppc done
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2009-03-27 17:08:30 UTC
m68k stable
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-21 09:47:35 UTC
CVE-2009-0579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0579):
  Linux-PAM before 1.0.4 does not enforce the minimum password age
  (MINDAYS) as specified in /etc/shadow, which allows local users to
  bypass intended security policy and change their passwords sooner
  than specified.

Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-23 17:14:25 UTC
Ready to vote, I vote no.
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-24 16:39:27 UTC
NO too, closing.