Bugzilla – Bug 934920
VUL-1: CVE-2015-3238: pam: Security issue in pam_unix module with SELinux enabled
Last modified: 2019-10-24 14:41:52 UTC
From the Red Hat Developer (Tomas Mraz): Red Hat security response team got a security issue reported against the Linux-PAM namely the pam_unix module. Copying report from the (private) bugzilla: >From the original report: "If SELinux is enabled, the _unix_run_helper_binary function in Linux-PAM 1.1.8 and earlier hangs indefinitely when verifying a password of 65536 characters, which allows attackers to conduct username enumeration and denial of service attacks. When supplying a password of 65536 characters or more, the process will block on the write(2) call at modules/pam_unix/support.c:614 because it tries to write strlen(passwd)+1 bytes to a blocking pipe and a pipe has a limited capacity of 65536 bytes on Linux." Embargo date is under discussion most likely next week.
Created attachment 638054 [details] pam-password-limit.patch
Between 1.2.0 is affected, too.
bugbot adjusting priority
Looks like Thursday, 25th, 14:00 UTC (16:00 CEST) will be the CRD for this issue.
CRD: 2015-06-25 14:00 UTC
Created attachment 638220 [details] linux-pam-CVE-2015-3238.patch
Via distros, with CVE and (code) identical patch: The Linux-PAM project has been notified about a security issue in the pam_unix module. The issue is currently under embargo with the CRD set to 2015-06-25 14:00 UTC. If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. This bug may have security implications, e.g. allowing potential attackers to conduct username enumeration and denial of service attacks. We would like to thank Sebastien Macke of Trustwave SpiderLabs for the original bug report and Red Hat security response team for forwarding this issue and assigning it CVE-2015-3238. The code implementing pam_exec expose_authtok option and pam_unix_passwd.c has a similar issue but its security implications are not obvious. Tomas Mraz has prepared a fix that is going to be applied in the next release of Linux-PAM. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes). An alternative approach to fix this issue (implemented in such modules as pam_tcb) is to temporary ignore SIGPIPE and check for a failed/short write. This alternative was considered too complex for a security fix, though, and the simpler fix was chosen.
is public now Date: Thu, 25 Jun 2015 21:38:16 +0300 From: "Dmitry V. Levin" <ldv@altlinux.org> Subject: [oss-security] Linux-PAM 1.2.1 released to address CVE-2015-3238 Hello, The Linux-PAM project has released a new version to address a security issue in the pam_unix module. If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. This bug may have security implications, e.g. allowing potential attackers to conduct username enumeration and denial of service attacks. We would like to thank Sebastien Macke of Trustwave SpiderLabs for the original bug report and Red Hat security response team for forwarding this issue. The code implementing pam_exec expose_authtok option and pam_unix_passwd.c had a similar issue but its security implications are not obvious. In the fix prepared by Tomas Mraz for this Linux-PAM release the verifiable password length is limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes). An alternative approach to fix this issue (implemented in such modules as pam_tcb) is to temporary ignore SIGPIPE and check for a failed/short write. This alternative was considered too complex for a security fix, though, and the simpler fix was chosen. --=20 ldv
SUSE-SU-2016:1645-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 854480,934920,962220 CVE References: CVE-2013-7041,CVE-2015-3238 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): pam-1.1.5-0.17.2 SUSE Linux Enterprise Server 11-SP4 (src): pam-1.1.5-0.17.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): pam-1.1.5-0.17.2
SUSE-SU-2017:1398-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1015565,1037824,934920 CVE References: CVE-2015-3238 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): pam-1.1.8-23.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): pam-1.1.8-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): pam-1.1.8-23.1 SUSE Linux Enterprise Server 12-SP2 (src): pam-1.1.8-23.1 SUSE Linux Enterprise Server 12-SP1 (src): pam-1.1.8-23.1 SUSE Linux Enterprise Desktop 12-SP2 (src): pam-1.1.8-23.1 SUSE Linux Enterprise Desktop 12-SP1 (src): pam-1.1.8-23.1 OpenStack Cloud Magnum Orchestration 7 (src): pam-1.1.8-23.1
released