mailing list archives
CVE request: pam: password hashes aren't compared case-sensitively
From: Ratul Gupta <ratulg () redhat com>
Date: Mon, 09 Dec 2013 15:21:39 +0530
It was found that in pam_userdb module for Pam, password hashes weren't
compared case-sensitively, which could lead to acceptance of hashes for
completely different passwords, which shouldn't be accepted.
After hashing the user's password with crypt(), pam_userdb compares the
result to the stored hash case-insensitively with strncasecmp(), which
should be avoided, as it could result in an increased possibility of a
successful brute-force attack.
Can a CVE be assigned for this?
Ratul Gupta / Red Hat Security Response Team
- CVE request: pam: password hashes aren't compared case-sensitively Ratul Gupta (Dec 09)