diff options
| author | Björn Esser <besser82@fedoraproject.org> | 2018-11-23 19:57:43 +0100 |
|---|---|---|
| committer | Tomáš Mráz <t8m@users.noreply.github.com> | 2020-01-17 16:52:32 +0100 |
| commit | a12ec8b879337c15acba04fe7f5c8e75f5a91809 (patch) | |
| tree | 46e34165a7f569cc80e4f28c65ce8385bf2eb08a /modules/pam_namespace | |
| parent | ded7401a0bc743aaffa785a8b015ceec7780462d (diff) | |
| download | pam-a12ec8b879337c15acba04fe7f5c8e75f5a91809.tar.gz pam-a12ec8b879337c15acba04fe7f5c8e75f5a91809.tar.bz2 pam-a12ec8b879337c15acba04fe7f5c8e75f5a91809.zip | |
pam_unix: Return NULL instead of calling crypt_md5_wrapper().
If the call to the crypt(3) function failed for some reason during
hashing a new login passphrase, the wrapper function for computing
a hash with the md5crypt method was called internally by the pam_unix
module in previous versions of linux-pam.
With CVE-2012-3287 in mind, the md5crypt method is not considered to
be a safe nor recommended hashing method for a new login passphrase
since at least 2012. Thus pam_unix should error out in case of a
failure in crypt(3) instead of silently computing a hashed passphrase
using a potentially unsafe method.
* modules/pam_unix/pam_unix.8.xml: Update documentation.
* modules/pam_unix/passverify.c (create_password_hash): Return NULL
on error instead of silently invoke crypt_md5_wrapper().
Diffstat (limited to 'modules/pam_namespace')
0 files changed, 0 insertions, 0 deletions