Univention Bugzilla – Bug 49741
Denial of Service: pam_unix authentication hangs in hashsum generation
Last modified: 2021-06-23 07:29:13 CEST
https://github.com/linux-pam/linux-pam/issues/118 https://github.com/linux-pam/linux-pam/pull/120 pam_unix hangs during the hashsum generation of the given password. This causes python-pam processes to hang forever, when someone logs in via a very long password.
Build package (for i386 and amd64) in scope fbest: deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_4.4-0-fbest/all/ deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_4.4-0-fbest/$(ARCH)/ Changes in patches repository: svn r18608 YAML file in branch git:fbest/49741-pam-unix
Rebuilt the package again: Somehow the quilt patch was not appended to debian/series. Migrated to a .patch file now which worked. [amd64] successful build Package: pam Version: 1.1.8-3.6A~4.4.0.201907121407 Branch: ucs_4.4-0-fbest Scope: fbest
Merged the patch into the errata-4.4-1 scope. pam.yaml f1d99e8176dc | YAML Bug #49741 f2f3ea4e5127 | YAML Bug #49740
QA: test authentication and password changing (passwords longer than 512 characters should be rejected).
Does this need a release of univention-pam? I ask because the workaround for bug 49614 is a change in "/etc/pam.d/common-session" which would be overwritten in that case.
(In reply to Jürn Brodersen from comment #5) > Does this need a release of univention-pam? No.
OK: login with password > 512 chars not possible OK: pam_unix does not hang anymore for big passwords OK: trying to change password to > 512 chars shows error that password is too long OK: yaml -> verified
<http://errata.software-univention.de/ucs/4.4/206.html>