Bug 16212

Summary: pam new security issue CVE-2015-3238
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/649947/
Whiteboard: MGA4TOO MGA4-32-OK advisory MGA4-64-OK MGA5-32-OK MGA5-64-OK
Source RPM: pam-1.1.8-10.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-06-26 01:45:23 CEST 
A security issue fixed upstream in PAM has been announced:
http://openwall.com/lists/oss-security/2015/06/25/13

The issue is fixed in version 1.2.1.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-26 01:46:16 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-01 19:50:03 CEST 
Fedora has issued an advisory for this on June 27:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/161249.html

URL: (none) => http://lwn.net/Vulnerabilities/649947/

Comment 2 David Walser 2015-07-01 20:08:48 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated pam packages fix security vulnerability:

If SELinux is enabled, the _unix_run_helper_binary function in Linux-PAM 1.1.8
and earlier hangs indefinitely when verifying a password of 65536 characters,
which allows attackers to conduct username enumeration and denial of service
attacks (CVE-2015-3238).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3238
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/161249.html
========================

Updated packages in core/updates_testing:
========================
pam-1.1.8-7.2.mga4
pam-doc-1.1.8-7.2.mga4
libpam0-1.1.8-7.2.mga4
libpam-devel-1.1.8-7.2.mga4
pam-1.1.8-10.1.mga5
pam-doc-1.1.8-10.1.mga5
libpam0-1.1.8-10.1.mga5
libpam-devel-1.1.8-10.1.mga5

from SRPMS:
pam-1.1.8-7.2.mga4.src.rpm
pam-1.1.8-10.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 3 David Walser 2015-07-04 17:55:21 CEST 
Tested Mageia 4 i586 by just testing that I could still log in at the console, use su, and ssh into this machine.

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK

Comment 4 Dave Hodgins 2015-07-04 20:24:21 CEST 
Advisory committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK advisory

Comment 5 Dave Hodgins 2015-07-04 20:32:22 CEST 
Testing complete.

Someone from the sysadmin team please push 16212.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK advisory => MGA4TOO MGA4-32-OK advisory MGA4-64-OK MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-07-05 19:23:42 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0266.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED