From the original report:
"If SELinux is enabled, the _unix_run_helper_binary function in Linux-PAM 1.1.8
and earlier hangs indefinitely when verifying a password of 65536 characters,
which allows attackers to conduct username enumeration and denial of service
When supplying a password of 65536 characters or more, the process will block
on the write(2) call at modules/pam_unix/support.c:614 because it tries to
write strlen(passwd)+1 bytes to a blocking pipe and a pipe has a limited
capacity of 65536 bytes on Linux."
Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs for reporting this issue.
So we (as PAM upstream developers) acknowledge the issue. I developed a patch that was reviewed by peer upstream developers and we will do a release after vendor notification.
Can we get a CVE assigned?
Created attachment 1038860 [details]
The patch limiting the supported password length to 512 bytes
Public via: http://www.openwall.com/lists/oss-security/2015/06/25/13
pam-1.1.8-19.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
pam-1.1.8-19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
In the patch provided
static int _unix_run_update_binary
There is a "else" missing for both "if (fromwhat) " and "if (towhat)", Hence this ends up in writing "pam_modutil_write(fds, "", 1);" irrespective of the value. Is it something expected or is it a bug in the patch?
Yes, that is fully intentional as we need to write the NULL byte as well.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Via RHSA-2015:1640 https://rhn.redhat.com/errata/RHSA-2015-1640.html