Bug 16212 - pam new security issue CVE-2015-3238
Summary: pam new security issue CVE-2015-3238
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/649947/
Whiteboard: MGA4TOO MGA4-32-OK advisory MGA4-64-...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-06-26 01:45 CEST by David Walser
Modified: 2015-07-05 19:23 CEST (History)
2 users (show)

See Also:
Source RPM: pam-1.1.8-10.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-06-26 01:45:23 CEST 
A security issue fixed upstream in PAM has been announced:
http://openwall.com/lists/oss-security/2015/06/25/13

The issue is fixed in version 1.2.1.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-26 01:46:16 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-07-01 19:50:03 CEST 
Fedora has issued an advisory for this on June 27:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/161249.html

URL: (none) => http://lwn.net/Vulnerabilities/649947/

Comment 2 David Walser 2015-07-01 20:08:48 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated pam packages fix security vulnerability:

If SELinux is enabled, the _unix_run_helper_binary function in Linux-PAM 1.1.8
and earlier hangs indefinitely when verifying a password of 65536 characters,
which allows attackers to conduct username enumeration and denial of service
attacks (CVE-2015-3238).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3238
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/161249.html
========================

Updated packages in core/updates_testing:
========================
pam-1.1.8-7.2.mga4
pam-doc-1.1.8-7.2.mga4
libpam0-1.1.8-7.2.mga4
libpam-devel-1.1.8-7.2.mga4
pam-1.1.8-10.1.mga5
pam-doc-1.1.8-10.1.mga5
libpam0-1.1.8-10.1.mga5
libpam-devel-1.1.8-10.1.mga5

from SRPMS:
pam-1.1.8-7.2.mga4.src.rpm
pam-1.1.8-10.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 3 David Walser 2015-07-04 17:55:21 CEST 
Tested Mageia 4 i586 by just testing that I could still log in at the console, use su, and ssh into this machine.

Whiteboard: MGA4TOO => MGA4TOO MGA4-32-OK

Comment 4 Dave Hodgins 2015-07-04 20:24:21 CEST 
Advisory committed to svn.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK advisory

Comment 5 Dave Hodgins 2015-07-04 20:32:22 CEST 
Testing complete.

Someone from the sysadmin team please push 16212.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK advisory => MGA4TOO MGA4-32-OK advisory MGA4-64-OK MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-07-05 19:23:42 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0266.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.