Source: pam Version: 1.7.0-5 Severity: important Tags: security upstream Forwarded: https://github.com/linux-pam/linux-pam/issues/992 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for pam. CVE-2026-54411[0]: | Linux-PAM through 1.7.2 contains an observable timing discrepancy | (CWE-208) in the pam_userdb module's plaintext-password comparison | path in modules/pam_userdb/pam_userdb.c that allows a local or | network-adjacent attacker able to repeatedly drive authentication | through a calling service to recover the plaintext password of a | target account by measuring response-timing differences. The | comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is | set) preceded by a length-equality check, so the time to reject a | candidate depends on the index of the first differing byte and on | whether the candidate's length matches the stored password, leaking | the password length and individual prefix bytes. The vulnerable path | is reached when the administrator configures pam_userdb with | crypt=none, with an unrecognized crypt method, or without a crypt= | argument, causing the module to store and compare credentials in | plaintext. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54411 https://www.cve.org/CVERecord?id=CVE-2026-54411 [1] https://github.com/linux-pam/linux-pam/issues/992 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
