Bug 487216 (CVE-2009-0579)

Summary: CVE-2009-0579 pam: MINDAYS not respected by pam for password changing
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: nalin, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 15:42:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 487217, 487218, 487219    
Bug Blocks:    

Description Vincent Danen 2009-02-24 20:37:09 UTC
An issue dealing with password changes, with respect to the MINDAYS field in /etc/shadow was reported on the Debian BTS (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437) that affects all versions of PAM 1.x.  Because of this, if an administrative user sets the password minimum days via chage or passwd, /etc/shadow is updated correctly, but PAM allows the user to change their password with no regard for the MINDAYS setting, effectively allowing them to re-use old passwords immediately and disregard any established password policies that should be enforced.

This is due to the fact that no minimum age password checks are done by PAM in 1.x; in the old versions it was done in _unix_verify_shadow() by checking the value of of sp_min.  In newer PAM this check is no longer there.

Comment 1 Vincent Danen 2009-02-24 20:37:38 UTC
Created pam tracking bugs for this issue

Affects: F10 [bug #487217]
Affects: F9 [bug #487218]
Affects: Fdevel [bug #487219]

Comment 2 Fedora Update System 2009-03-26 10:46:15 UTC
pam-1.0.4-3.fc9 has been submitted as an update for Fedora 9.

Comment 3 Fedora Update System 2009-03-30 16:43:57 UTC
pam-1.0.4-4.fc9 has been submitted as an update for Fedora 9.

Comment 4 Fedora Update System 2009-03-30 16:45:06 UTC
pam-1.0.4-4.fc10 has been submitted as an update for Fedora 10.

Comment 5 Fedora Update System 2009-04-14 15:52:54 UTC
pam-1.0.4-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2009-04-14 15:58:36 UTC
pam-1.0.4-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Vincent Danen 2013-04-05 15:42:11 UTC

Not vulnerable. This issue did not affect the versions of pam as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6.