fix CVE-2013-7041: use case sensitive comparison in pam_userdb
This commit is contained in:
parent
ad164ea74b
commit
8f1046a25f
52
pam-1.1.8-cve-2013-7041.patch
Normal file
52
pam-1.1.8-cve-2013-7041.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||||
|
Date: Fri, 24 Jan 2014 22:18:32 +0000
|
||||||
|
Subject: [PATCH] pam_userdb: fix password hash comparison
|
||||||
|
|
||||||
|
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
|
||||||
|
passwords support in pam_userdb, hashes are compared case-insensitively.
|
||||||
|
This bug leads to accepting hashes for completely different passwords in
|
||||||
|
addition to those that should be accepted.
|
||||||
|
|
||||||
|
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
|
||||||
|
modern password hashes with different lengths and settings, did not
|
||||||
|
update the hash comparison accordingly, which leads to accepting
|
||||||
|
computed hashes longer than stored hashes when the latter is a prefix
|
||||||
|
of the former.
|
||||||
|
|
||||||
|
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
|
||||||
|
hash whose length differs from the stored hash length.
|
||||||
|
Compare computed and stored hashes case-sensitively.
|
||||||
|
Fixes CVE-2013-7041.
|
||||||
|
|
||||||
|
Bug-Debian: http://bugs.debian.org/731368
|
||||||
|
---
|
||||||
|
modules/pam_userdb/pam_userdb.c | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
||||||
|
index de8b5b1..ff040e6 100644
|
||||||
|
--- a/modules/pam_userdb/pam_userdb.c
|
||||||
|
+++ b/modules/pam_userdb/pam_userdb.c
|
||||||
|
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
||||||
|
} else {
|
||||||
|
cryptpw = crypt (pass, data.dptr);
|
||||||
|
|
||||||
|
- if (cryptpw) {
|
||||||
|
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
|
||||||
|
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
||||||
|
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
||||||
|
} else {
|
||||||
|
compare = -2;
|
||||||
|
if (ctrl & PAM_DEBUG_ARG) {
|
||||||
|
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||||
|
+ if (cryptpw)
|
||||||
|
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
||||||
|
+ else
|
||||||
|
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
Loading…
Reference in New Issue
Block a user