Joined: 12 May 2004
|Posted: Sun Feb 09, 2014 11:26 am Post subject: [ GLSA 201402-12 ] PAM S/Key: Information disclosure
|Gentoo Linux Security Advisory
Title: PAM S/Key: Information disclosure (GLSA 201402-12)
Date: February 09, 2014
PAM S/Key does not clear provided credentials from memory, allowing
local attackers to gain access to cleartext credentials.
PAM S/Key is a pluggable authentication module for the OpenBSD
Single-key Password system.
Vulnerable: < 1.1.5-r5
Unaffected: >= 1.1.5-r5
Architectures: All supported architectures
Ulrich Müller reported that a Gentoo patch to PAM S/Key does not remove
credentials provided by the user from memory.
A local attacker with privileged access could inspect a memory dump to
gain access to cleartext credentials provided by users.
There is no known workaround at this time.
All PAM S/Key users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_skey-1.1.5-r5"