A CVE has been assigned for a security issue in PAM: http://openwall.com/lists/oss-security/2013/12/09/16 The issue is that it uses case-insensitive matching when comparing hashes. There is a patch linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1038555#c2 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Blocks: (none) => 11726
Removing this from the Mageia 4 security tracker, as this will not be fixed before release.
Blocks: 11726 => (none)Whiteboard: MGA3TOO => MGA4TOO, MGA3TOO
Fedora has added patches in RawHide from upstream pam's git to fix CVE-2013-7041 and CVE-2014-2583. They also have posted detailed explanations of why each issue is very unlikely to be exploited: https://bugzilla.redhat.com/show_bug.cgi?id=1038555#c9 https://bugzilla.redhat.com/show_bug.cgi?id=1080243#c13 I've added both patches in pam-1.1.8-8.mga5 to fix this in Cauldron. I've also added patches for both in Mageia 3 and Mageia 4 SVN, so that they will be included in any future updates.
Version: Cauldron => 4Summary: pam new security issue CVE-2013-7041 => pam new security issues CVE-2013-7041 and CVE-2014-2583Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Fedora has issued an advisory for this on December 6: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146370.html Removing Mageia 3 from the whiteboard due to EOL.
URL: (none) => http://lwn.net/Vulnerabilities/626828/Whiteboard: MGA3TOO => (none)
pushed into 4 core/updates_testing
CC: (none) => mageia
Patched package uploaded for Mageia 4. Advisory: ======================== Updated pam packages fix security vulnerabilities: The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack (CVE-2013-7041). Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function (CVE-2014-2583). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7041 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146370.html ======================== Updated packages in core/updates_testing: ======================== pam-1.1.8-7.1.mga4 pam-doc-1.1.8-7.1.mga4 libpam0-1.1.8-7.1.mga4 libpam-devel-1.1.8-7.1.mga4 from pam-1.1.8-7.1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete mga4 32 Minimal testing during mga5 final release cycle but ensured reboot/login/logout/MCC still OK
Whiteboard: (none) => has_procedure mga4-32-ok
Advisory uploaded.
Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok
Testing complete mga4 64, as comment 6 Validating. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0213.html
Status: NEW => RESOLVEDResolution: (none) => FIXED