pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module

Debian Bug report logs - #789986
pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module

Date: Thu, 25 Jun 2015 22:33:21 +0200

Source: pam
Version: 1.1.3-7
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for pam.

CVE-2015-3238[0]:
DoS/user enumeration due to blocking pipe in pam_unix module

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3238
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1228571

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 789986@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: 789986@bugs.debian.org

Subject: Re: pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module

Date: Wed, 16 Dec 2015 14:09:36 -0800

On Thu, 25 Jun 2015 22:33:21 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> CVE-2015-3238[0]:
> DoS/user enumeration due to blocking pipe in pam_unix module

Just a friendly ping; any movement towards fixing or at least
investigating this vuln?  This package is part of minbase, so IMO it
looks a little strange to have even something as low as a CVSS 5.8
still pending a maintainer response (even just a "naw, this isn't a
problem and won't be fixed").  Is it a matter of crafting a patch with
the upstream fix?  (I'm willing to try my hand at doing so if it'd be
helpful.)

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Message #15 received at 789986@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: Steve Langasek <vorlon@debian.org>, 789986@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module

Date: Wed, 23 Dec 2015 15:27:10 -0800

[Message part 1 (text/plain, inline)]

On 16 December 2015 at 14:09, Tianon Gravi <tianon@debian.org> wrote:
> Just a friendly ping; any movement towards fixing or at least
> investigating this vuln?  This package is part of minbase, so IMO it
> looks a little strange to have even something as low as a CVSS 5.8
> still pending a maintainer response (even just a "naw, this isn't a
> problem and won't be fixed").  Is it a matter of crafting a patch with
> the upstream fix?  (I'm willing to try my hand at doing so if it'd be
> helpful.)

I've attached a patch for the packaging on top of the version
currently in jessie/stretch/sid that builds properly and includes the
upstream fix from 1.2.1 -- I've not yet had the opportunity to do
either a security upload or a proper NMU, but I'm willing to read and
do the work given hrefs and/or preferences, or will happily defer to
someone with more experience (maybe the maintainer, hint hint vorlon).
:)

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

[fix-cve-2015-3238.patch (text/x-patch, attachment)]

Message #20 received at 789986@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Tianon Gravi <tianon@debian.org>

Cc: Steve Langasek <vorlon@debian.org>, 789986@bugs.debian.org

Subject: Re: pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module

Date: Thu, 24 Dec 2015 06:13:16 +0100

Hi Tianon, hi Steve,

On Wed, Dec 23, 2015 at 03:27:10PM -0800, Tianon Gravi wrote:
> On 16 December 2015 at 14:09, Tianon Gravi <tianon@debian.org> wrote:
> > Just a friendly ping; any movement towards fixing or at least
> > investigating this vuln?  This package is part of minbase, so IMO it
> > looks a little strange to have even something as low as a CVSS 5.8
> > still pending a maintainer response (even just a "naw, this isn't a
> > problem and won't be fixed").  Is it a matter of crafting a patch with
> > the upstream fix?  (I'm willing to try my hand at doing so if it'd be
> > helpful.)
> 
> I've attached a patch for the packaging on top of the version
> currently in jessie/stretch/sid that builds properly and includes the
> upstream fix from 1.2.1 -- I've not yet had the opportunity to do
> either a security upload or a proper NMU, but I'm willing to read and
> do the work given hrefs and/or preferences, or will happily defer to
> someone with more experience (maybe the maintainer, hint hint vorlon).
> :)

Not the maintainer here, but for the security-upload point of view

If you do a NMU for unstable, it would be nice to have it fixed as
well in stable and possibly oldstable. The issue though is marked
already as no-dsa in the security-tracker (i.e. no DSA is planned for
it), the fix could go through a {wheezy,jessie}-pu though.

Regards,
Salvatore

Message #25 received at 789986-close@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: 789986-close@bugs.debian.org

Subject: Bug#789986: fixed in pam 1.1.8-3.2

Date: Thu, 07 Jan 2016 00:20:16 +0000

Source: pam
Source-Version: 1.1.8-3.2

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 789986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tianon Gravi <tianon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 Jan 2016 15:53:31 -0800
Source: pam
Binary: libpam0g libpam-modules libpam-modules-bin libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source
Version: 1.1.8-3.2
Distribution: unstable
Urgency: medium
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Tianon Gravi <tianon@debian.org>
Description:
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-modules-bin - Pluggable Authentication Modules for PAM - helper binaries
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 789986
Changes:
 pam (1.1.8-3.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix
     module (Closes: #789986)
Checksums-Sha1:
 9e719371d0b2199e4ce2183bab39bd41ee73d36e 2462 pam_1.1.8-3.2.dsc
 d055ed81373280a372468c2434cea6313f8d57a8 1892765 pam_1.1.8.orig.tar.gz
 a6c69ca9cc7b2b6c98fc7fd307d4a5543d3c882d 134541 pam_1.1.8-3.2.diff.gz
Checksums-Sha256:
 bdc77d84784d81c0ef6ae4d198a791502b75ec1dcb1fe2bfcd680d8af07b9066 2462 pam_1.1.8-3.2.dsc
 4183409a450708a976eca5af561dbf4f0490141a08e86e4a1e649c7c1b094876 1892765 pam_1.1.8.orig.tar.gz
 51dbecff92b4298da2218123a776cb243f43aca7a18ec9f639fc3a4bdc5da70d 134541 pam_1.1.8-3.2.diff.gz
Files:
 2368ab0dc381f3c1465b7160d6424edf 2462 libs optional pam_1.1.8-3.2.dsc
 5107bbf54042400b6200e8367cc7feef 1892765 libs optional pam_1.1.8.orig.tar.gz
 4e866e414b8c9d9de984d1703284ae43 134541 libs optional pam_1.1.8-3.2.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWjauEAAoJEANqnCW/NX3U4/EQAKF4g/76F71h53MOhGyoNjxs
93EuZnYIHfF0L4DmBL/5PEslfiWR+LF5L9RdhcW2MojlqqEpVqI5NIphdbGpfCCE
4GlGmiKZQuXPanivTFipnYJdcJIe2vhPfSarJjKA1c2LLX9QhbDu0rwGvOxFM67Z
hPrn1wXM4DlFdt0/lng0RyxwszErzFH9jIfFDQ9vHWV5f9dwTuJjxMbe8rDP498E
QnymO2Sq9g5kzWwauIRU2QgSWRCTifhGvD4nUm01+ZfObKroGAVuge6FiQaxoFLe
FkPUYI7oQNbL4AInPa22Lb+chsCJvSPz7+ED9v5kQkGPby6jnoVhgB9ApRQDSEJe
uQtsvBw8UEoExHw45C2NL1cq8rU8eRqnIqQOVt9LDecJger1Le9EWUylaBHZ6Ywd
jRHhVGQ5N9wPCIy7ygjaTNO6rqm44REeLMDEzgfiGwZy+fcp2yBnTLp0Hmpcn/Pw
XfYlwFHmuRLC296xvZH2FQf0TrPAMFa0YTwKlKCpsRKFh46ozVzI1L5Fb/6+0K8u
UsiGOQFHbuBCDoc/X7ejdwCimfHnK2FgOnCbB1pu/sZ/D8rT6p5p7rJ+Y0WACn9p
YdWdw5xsgJ+eg5F92q6dqZEY6QPkzyA0q6FKYly609obmG9Cocm9Irzr0Zf47Kri
2X2Gu3LMc8IHIGsYNyhH
=7pBy
-----END PGP SIGNATURE-----

Message #30 received at 789986-close@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>

To: 789986-close@bugs.debian.org

Subject: Bug#789986: fixed in pam 1.1.8-3.1+deb8u1

Date: Sat, 09 Jan 2016 15:47:09 +0000

Source: pam
Source-Version: 1.1.8-3.1+deb8u1

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 789986@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tianon Gravi <tianon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 Jan 2016 17:25:53 -0800
Source: pam
Binary: libpam0g libpam-modules libpam-modules-bin libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source amd64 all
Version: 1.1.8-3.1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Tianon Gravi <tianon@debian.org>
Description:
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-modules-bin - Pluggable Authentication Modules for PAM - helper binaries
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 789986
Changes:
 pam (1.1.8-3.1+deb8u1) jessie; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix
     module (Closes: #789986)
Checksums-Sha1:
 7ef6fba18aedc4fc684b8cd5b80e6f6475abb230 2490 pam_1.1.8-3.1+deb8u1.dsc
 d055ed81373280a372468c2434cea6313f8d57a8 1892765 pam_1.1.8.orig.tar.gz
 930c5f9ad6c2c866f3d5bec67f8d54ee9b1711bf 134556 pam_1.1.8-3.1+deb8u1.diff.gz
 047708351b3f0dac1a943dd47f20de0dd7386965 126402 libpam0g_1.1.8-3.1+deb8u1_amd64.deb
 392b3825e5d35e566f58276a9c2d28089930f21f 306646 libpam-modules_1.1.8-3.1+deb8u1_amd64.deb
 d5e77f18d6baf6eecd8532abf5234318209eab80 104294 libpam-modules-bin_1.1.8-3.1+deb8u1_amd64.deb
 a8c5688b501a22617c4634acbb712514974ce2bc 212608 libpam-runtime_1.1.8-3.1+deb8u1_all.deb
 9fd19ab6b3bee3836df5bb16b63ac2f1adde6fdc 182856 libpam0g-dev_1.1.8-3.1+deb8u1_amd64.deb
 f10e09dfc06dca214eababe698fc0b577a87d214 85798 libpam-cracklib_1.1.8-3.1+deb8u1_amd64.deb
 ebfb8726844b886ad82a1aef9aa504d788920d86 279564 libpam-doc_1.1.8-3.1+deb8u1_all.deb
Checksums-Sha256:
 4d13711e521437f821647bcccdcd464f7791dddd54c6eda86acecd03cc7817f2 2490 pam_1.1.8-3.1+deb8u1.dsc
 4183409a450708a976eca5af561dbf4f0490141a08e86e4a1e649c7c1b094876 1892765 pam_1.1.8.orig.tar.gz
 5b6b66c660eab29b12d298e30189d647a3fa02c9551c71fdfcb62ec2caf165d2 134556 pam_1.1.8-3.1+deb8u1.diff.gz
 148e9f0c64b36c7bc5561261bd3b6db9d9ffb7083b468b72f28d04ea0acf088c 126402 libpam0g_1.1.8-3.1+deb8u1_amd64.deb
 2664d5ab64996fd6e6c525d3c9f524e8faa340adda907c9d7a78c48e911406ad 306646 libpam-modules_1.1.8-3.1+deb8u1_amd64.deb
 d58af8461962e340c66f810fef0ee654f60e190daca414e7fc3c6efd4a795f7f 104294 libpam-modules-bin_1.1.8-3.1+deb8u1_amd64.deb
 5bee3794abe9085ec4d7b92bc50f7b490a20a54f6be6555fc1415876960a2d0a 212608 libpam-runtime_1.1.8-3.1+deb8u1_all.deb
 a1ac946681a1fc8f42840bd97919a142e0f182950f8cd4932e2cf4074c6a840b 182856 libpam0g-dev_1.1.8-3.1+deb8u1_amd64.deb
 cd80d3832823d9573c70c01c777c7a90d8a84abafa85a76101e798253bcd65e1 85798 libpam-cracklib_1.1.8-3.1+deb8u1_amd64.deb
 321ead94a85aef1d2faf933039ba497f3b307364e08e91d644d259c8eb37d853 279564 libpam-doc_1.1.8-3.1+deb8u1_all.deb
Files:
 2aff16bae4b93b7d32eaf9595989c58c 2490 libs optional pam_1.1.8-3.1+deb8u1.dsc
 5107bbf54042400b6200e8367cc7feef 1892765 libs optional pam_1.1.8.orig.tar.gz
 4ddd0903b5a12218deb8dfa90ec69997 134556 libs optional pam_1.1.8-3.1+deb8u1.diff.gz
 67746c175c0b32be290cf22aa1f4a086 126402 libs required libpam0g_1.1.8-3.1+deb8u1_amd64.deb
 c4b705e91f279eadbdb7290f0d1b7ade 306646 admin required libpam-modules_1.1.8-3.1+deb8u1_amd64.deb
 edf059c20d5556244375c198e2def070 104294 admin required libpam-modules-bin_1.1.8-3.1+deb8u1_amd64.deb
 61450f7851fd0af69e3b534b4681ad12 212608 admin required libpam-runtime_1.1.8-3.1+deb8u1_all.deb
 bd0153f686abeedd99b63edabf9ba4ec 182856 libdevel optional libpam0g-dev_1.1.8-3.1+deb8u1_amd64.deb
 ed8e68e4056f11d7bed9f8d33954a25d 85798 admin optional libpam-cracklib_1.1.8-3.1+deb8u1_amd64.deb
 f757918ec1d86051d0f26209bce30560 279564 doc optional libpam-doc_1.1.8-3.1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWjb/cAAoJEANqnCW/NX3USxUP/0Zbxb24gMkrFf2H0C7SHys9
d2y/7wIJqPY/ka0KSaFtVRXKe4YHhUIyMfB15nv2vh5YbM9U6VP2DXz8ZPSag7+x
BzInY9WGDUM1nB6OOB3EYbQlX1piDCy8BU4PDbNGLIsyWQEI/fHF2mFBRloZ1UwR
AQREt1LnOWVPYc1kV3++21t0PU98dSdCt8HEDj50v6xopP0THfIGUrHklR0eUQit
P1d+6+MB3MgXDVJHj/NTYi5P4XPhxCI8Q6lxySaUa7fiVAWUAyQjo/XLc6yGzg/X
LQzgLq2LA/UU/B0QqlClypyveQf/mw8NWZJ81jhDaBICat/EnX3EiWt+INx51E5/
j0KStf+niMKoaT9bkX50I66QYSlL1Oq4unSO3DF5n2grzsi7tsrPMIK1o9iJSiX4
CirM/TXAY1YfNC+tKdhPXcp7crN6o4p89xgL8mL3Hzdagg8TnWbw/gTs9ox/7vW4
I8xhdxn7mkAAIks23w98cU2f3NdkuiYUuMLlXvOVzD/l9O/Pwzs53huqJe3NtJfK
h8FFkpwpHvmuR5smZfEauS9VQNwXUMk11X6u+Z1bexopALCT8Eej4r6GpB2cV1Ux
V942vUC0xhw/tB9cZ8SDu45+OYaR/MCFsMhpZMD/yVAI1mK2eU0o+47ZQ0KgqJX3
ivyFffAHhxDVU/3ZLlD3
=wrC5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.