From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001

From: "Dmitry V. Levin" <ldv@altlinux.org>

Date: Fri, 24 Jan 2014 22:18:32 +0000

Subject: [PATCH] pam_userdb: fix password hash comparison

Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed

passwords support in pam_userdb, hashes are compared case-insensitively.

This bug leads to accepting hashes for completely different passwords in

addition to those that should be accepted.

Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for

modern password hashes with different lengths and settings, did not

update the hash comparison accordingly, which leads to accepting

computed hashes longer than stored hashes when the latter is a prefix

of the former.

* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed

hash whose length differs from the stored hash length.

Compare computed and stored hashes case-sensitively.

Fixes CVE-2013-7041.

Bug-Debian: http://bugs.debian.org/731368

---

 modules/pam_userdb/pam_userdb.c | 9 ++++++---

 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c

index de8b5b1..ff040e6 100644

--- a/modules/pam_userdb/pam_userdb.c

+++ b/modules/pam_userdb/pam_userdb.c

@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,

 	  } else {

 	    cryptpw = crypt (pass, data.dptr);

-	    if (cryptpw) {

-	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);

+	    if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {

+	      compare = memcmp(data.dptr, cryptpw, data.dsize);

 	    } else {

 	      compare = -2;

 	      if (ctrl & PAM_DEBUG_ARG) {

-		pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");

+		if (cryptpw)

+		  pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");

+		else

+		  pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");

 	      }

 	    };

-- 

1.8.3.1