RHBA-2014:1579 - Bug Fix Advisory

Topic

Updated pam packages that fix several bugs are now available for Red Hat
Enterprise Linux 6.

Description

Pluggable Authentication Modules (PAM) provide a system to set up authentication
policies without the need to recompile programs to handle authentication.

This update fixes the following bugs:

• The pam_unix module contained an "off-by-one" error when comparing the date of

user account expiration with the current date. In this situation, the real
expiration of the account happened a day after the date specified by the "chage

• E" command. This update fixes the "off-by-one" error and user accounts now

expire on the date set by the "chage -E" command. (BZ#947011)

• The pam_unix and pam_pwhistory modules did not properly handle missing fields

in the entries in the /etc/security/opasswd file. As a consequence, if some of
the fields were not present in a user's entry, changing the password for example
with the passwd command could result in a segmentation fault. This bug has been
fixed and pam_unix and pam_pwhistory now properly handle missing fields in the
entries in /etc/security/opasswd. (BZ#1120099)

• Previously, the pam_limits module did not verify whether the process

referenced in the /var/run/utmp file as the login process still existed. As a
consequence, when the user had the "maxlogins" limit set in the limits.conf file
and the login session process terminated unexpectedly and also did not update
the utmp file correctly, the user did not have access to the system even if some
of his previous login session no longer existed due to the crash. After this
update, pam_limits tests whether the login process still exists on the system.
As a result, the number of existing login sessions is counted more precisely
when the "maxlogins" limit is applied by the pam_limits module. (BZ#1054936)

• Previously, the pam_userdb module handled the call to the crypt() function too

strictly not to expect modern crypt hash formats. As a consequence, pam_userdb
was not able to support any other hash algorithms supported by the glibc library
for the user password hashes. This update improves the code handling the crypt()
function. Now, pam_userdb supports any password hash formats supported by the
glibc crypt() function. (BZ#1119289)

Users of pam are advised to upgrade to these updated packages, which fix these
bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 740233 - PAM does not correctly parse @users@@hosts netgroup syntax in /etc/security/access.conf
• BZ - 889233 - pam_cracklib: documantation need update regarding exceptions for root user
• BZ - 947011 - Suspected off-by-one in expiration calculations
• BZ - 1026203 - Missing crypt() NULL checks in pam modules
• BZ - 1028490 - pam_limits documentation is unclear about difference between maxlogins and maxsyslogins
• BZ - 1029817 - pam_access.so in pam.d files using --enablepamaccess
• BZ - 1040664 - nofile comment in /etc/security/limits.conf refers to open files when it should refer to open file descriptors
• BZ - 1054936 - pam_limits does not always count the user logins correctly for testing maxlogins
• BZ - 1071770 - URL in pam package is dead
• BZ - 1078779 - fix pam_userdb man page example
• BZ - 1119289 - pam_userdb works only with DES-crypt despite crypt() supporting other hash algorithms too

CVEs

(none)

References

(none)