oss-sec mailing list archives
Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions
From: Érico Nogueira <ericonr () disroot org>
Date: Tue, 24 Nov 2020 15:41:38 -0300
On Tue Nov 24, 2020 at 3:02 PM -03, John Helmert III wrote:
On Tue, Nov 24, 2020 at 07:20:21PM +0100, Marcus Meissner wrote:Hi, (via IRC, spotted by Foxboron) PAM 1.5.0 had a potential auth bypass, if a user did not exist and the root password was empty (but root locked down). The reporters usecase was spammers pretending to be unknown users with a PAM enabled dovecot. This issue affected only pam 1.5.0. News entry: https://github.com/linux-pam/linux-pam/commit/28b8c7045ac8ea4ea080bce02a2df9e3b9e98f06 CVE-2020-27780 github issue reporting the problem: https://github.com/linux-pam/linux-pam/issues/284 Fixing commit: https://github.com/linux-pam/linux-pam/commit/af0faf666c5008e54dfe43684f210e3581ff1bcaIt looks like that commit is in 1.5.0, and the issue was closed by commit 30fdfb9 (not af0faf6).
From the PR [1] that fixed it, the issue was introduced in af0faf6.
Commit 30fdfb9 was made 4 days ago, and is not in the 1.5.0 release (clearing this up for others, since I thought you meant the issue had been solved in 1.5.0 already, and was a bit confused). - [1] https://github.com/linux-pam/linux-pam/pull/300 Cheers, Érico
Current thread:
- Heads up: PAM 1.5.0 has a auth bypass under some conditions Marcus Meissner (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions John Helmert III (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions Érico Nogueira (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions Dmitry V. Levin (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions John Helmert III (Nov 24)