From owner-svn-src-head@freebsd.org Thu Oct 26 13:23:14 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52A39E49868; Thu, 26 Oct 2017 13:23:14 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 215967DF81; Thu, 26 Oct 2017 13:23:14 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v9QDNDXu067293; Thu, 26 Oct 2017 13:23:13 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v9QDNDsP067292; Thu, 26 Oct 2017 13:23:13 GMT (envelope-from des@FreeBSD.org) Message-Id: <201710261323.v9QDNDsP067292@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: des set sender to des@FreeBSD.org using -f From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Date: Thu, 26 Oct 2017 13:23:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r325010 - head/lib/libpam/modules/pam_unix X-SVN-Group: head X-SVN-Commit-Author: des X-SVN-Commit-Paths: head/lib/libpam/modules/pam_unix X-SVN-Commit-Revision: 325010 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Oct 2017 13:23:14 -0000 Author: des Date: Thu Oct 26 13:23:13 2017 New Revision: 325010 URL: https://svnweb.freebsd.org/changeset/base/325010 Log: If the user-provided password exceeds the maximum password length, don't bother passing it to crypt(). It won't succeed and may allow an attacker to confirm that the user exists. Reported by: jkim@ MFC after: 1 week Security: CVE-2016-6210 Modified: head/lib/libpam/modules/pam_unix/pam_unix.c Modified: head/lib/libpam/modules/pam_unix/pam_unix.c ============================================================================== --- head/lib/libpam/modules/pam_unix/pam_unix.c Thu Oct 26 10:18:31 2017 (r325009) +++ head/lib/libpam/modules/pam_unix/pam_unix.c Thu Oct 26 13:23:13 2017 (r325010) @@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)) return (PAM_SUCCESS); + PAM_LOG("Password is empty, using fake password"); realpw = "*"; } lc = login_getpwclass(pwd); @@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un if (retval != PAM_SUCCESS) return (retval); PAM_LOG("Got password"); + if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { + PAM_LOG("Password is too long, using fake password"); + realpw = "*"; + } if (strcmp(crypt(pass, realpw), realpw) == 0) return (PAM_SUCCESS);