oss-sec mailing list archives
CVE request: pam: password hashes aren't compared case-sensitively
From: Ratul Gupta <ratulg () redhat com>
Date: Mon, 09 Dec 2013 15:21:39 +0530
https://bugzilla.redhat.com/show_bug.cgi?id=1038555It was found that in pam_userdb module for Pam, password hashes weren't compared case-sensitively, which could lead to acceptance of hashes for completely different passwords, which shouldn't be accepted.
After hashing the user's password with crypt(), pam_userdb compares the result to the stored hash case-insensitively with strncasecmp(), which should be avoided, as it could result in an increased possibility of a successful brute-force attack.
Can a CVE be assigned for this? -- Regards, Ratul Gupta / Red Hat Security Response Team
Current thread:
- CVE request: pam: password hashes aren't compared case-sensitively Ratul Gupta (Dec 09)
- Re: CVE request: pam: password hashes aren't compared case-sensitively Solar Designer (Dec 09)
- Re: CVE request: pam: password hashes aren't compared case-sensitively Raphael Geissert (Dec 09)
- Re: CVE request: pam: password hashes aren't compared case-sensitively cve-assign (Dec 09)
- Re: CVE request: pam: password hashes aren't compared case-sensitively Solar Designer (Dec 09)