|
|
f2fdff |
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
|
|
|
f2fdff |
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
|
f2fdff |
Date: Fri, 24 Jan 2014 22:18:32 +0000
|
|
|
f2fdff |
Subject: [PATCH] pam_userdb: fix password hash comparison
|
|
|
f2fdff |
|
|
|
f2fdff |
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
|
|
|
f2fdff |
passwords support in pam_userdb, hashes are compared case-insensitively.
|
|
|
f2fdff |
This bug leads to accepting hashes for completely different passwords in
|
|
|
f2fdff |
addition to those that should be accepted.
|
|
|
f2fdff |
|
|
|
f2fdff |
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
|
|
|
f2fdff |
modern password hashes with different lengths and settings, did not
|
|
|
f2fdff |
update the hash comparison accordingly, which leads to accepting
|
|
|
f2fdff |
computed hashes longer than stored hashes when the latter is a prefix
|
|
|
f2fdff |
of the former.
|
|
|
f2fdff |
|
|
|
f2fdff |
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
|
|
|
f2fdff |
hash whose length differs from the stored hash length.
|
|
|
f2fdff |
Compare computed and stored hashes case-sensitively.
|
|
|
f2fdff |
Fixes CVE-2013-7041.
|
|
|
f2fdff |
|
|
|
f2fdff |
Bug-Debian: http://bugs.debian.org/731368
|
|
|
f2fdff |
---
|
|
|
f2fdff |
modules/pam_userdb/pam_userdb.c | 9 ++++++---
|
|
|
f2fdff |
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
f2fdff |
|
|
|
f2fdff |
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
|
|
f2fdff |
index de8b5b1..ff040e6 100644
|
|
|
f2fdff |
--- a/modules/pam_userdb/pam_userdb.c
|
|
|
f2fdff |
+++ b/modules/pam_userdb/pam_userdb.c
|
|
|
f2fdff |
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
|
|
f2fdff |
} else {
|
|
|
f2fdff |
cryptpw = crypt (pass, data.dptr);
|
|
|
f2fdff |
|
|
|
f2fdff |
- if (cryptpw) {
|
|
|
f2fdff |
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
|
|
|
f2fdff |
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
|
|
f2fdff |
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
|
|
f2fdff |
} else {
|
|
|
f2fdff |
compare = -2;
|
|
|
f2fdff |
if (ctrl & PAM_DEBUG_ARG) {
|
|
|
f2fdff |
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
|
|
f2fdff |
+ if (cryptpw)
|
|
|
f2fdff |
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
|
|
f2fdff |
+ else
|
|
|
f2fdff |
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
|
|
f2fdff |
}
|
|
|
f2fdff |
};
|
|
|
f2fdff |
|
|
|
f2fdff |
--
|
|
|
f2fdff |
1.8.3.1
|
|
|
f2fdff |
|