Dear RMs, I would like to make an update for shadow to fix a bug in the SHA password encryption method.
I don't think this patch would be required for security reasons (I consider the current SHA method, with the bug, still more secure as the MD5 password encryption method), but I would prefer to get it right in stable. The patch, already applied upstream, is attached. Together with that update, I would like to backport some patches for the manpages: - Document the -r, --system option in the useradd, groupadd, and newusers manpages. - Document the -c, --crypt-method and -s, --sha-rounds options in the newusers manpage. - Document the -k, --skel option in the useradd manpage. And document some of the Debian patches (basically indicating that some of them are now applied upstream). Would an upload be OK for * the fix for the SHA password encrypt method * documentation of options * documentation of patches Best Regards, -- Nekral
Index: libmisc/salt.c =================================================================== --- libmisc/salt.c (révision 1988) +++ libmisc/salt.c (copie de travail) @@ -90,9 +90,10 @@ */ static unsigned int SHA_salt_size (void) { - double rand_rounds = 9 * random (); - rand_rounds /= RAND_MAX; - return 8 + rand_rounds; + double rand_size; + seedRNG (); + rand_size = (double) 9.0 * random () / RAND_MAX; + return 8 + rand_size; } /* ! Arguments evaluated twice ! */ @@ -131,8 +132,8 @@ if (min_rounds > max_rounds) max_rounds = min_rounds; - srand (time (NULL)); - rand_rounds = (max_rounds-min_rounds+1) * random (); + seedRNG (); + rand_rounds = (double) (max_rounds-min_rounds+1.0) * random (); rand_rounds /= RAND_MAX; rounds = min_rounds + rand_rounds; } else if (0 == *prefered_rounds) Index: ChangeLog =================================================================== --- ChangeLog (révision 1994) +++ ChangeLog (copie de travail) @@ -1,5 +1,15 @@ 2008-05-20 Nicolas François <[EMAIL PROTECTED]> + * NEWS, libmisc/salt.c (SHA_salt_size): Seed the RNG, and fix a + overflow. These caused the SHA salt size to always be 8 bytes, + instead of being in the 8-16 range. Thanks to Peter Vrabec + [EMAIL PROTECTED] for noticing. + * NEWS, libmisc/salt.c (SHA_salt_rounds): Seed the RNG with + seedRNG instead of srand, and fix the same overflow. This caused + the number of rounds to always be the smallest one. + +2008-05-20 Nicolas François <[EMAIL PROTECTED]> + * man/newusers.8.xml man/groupmems.8.xml man/groupdel.8.xml man/useradd.8.xml man/groupadd.8.xml man/newgrp.1.xml man/sg.1.xml man/chgpasswd.8.xml man/groupmod.8.xml: Tag the section which Index: NEWS =================================================================== --- NEWS (révision 1994) +++ NEWS (copie de travail) @@ -2,6 +2,15 @@ shadow-4.1.1 -> shadow-4.1.2 UNRELEASED +*** security: +- generation of SHA encrypted passwords (chpasswd, gpasswd, newusers, + chgpasswd; and also passwd if configured without PAM support). + The number of rounds and number of salt bytes was fixed to their lower + allowed values (resp. configurable and 8), hence voiding some of the + advantages of this encryption method. Dictionary attacks with + precomputed tables were easier than expected, but still harder than with + the MD5 (or DES) methods. + *** general: - packaging * Distribute the chfn, chsh, and userdel PAM configuration file.