Bug 1150520

Summary: AUDIT-1: libpwquality: review pam_pwquality not yet whitelisted in rpmlint
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: jsegitz, malte.kraus, matthias.gerstner, meissner, os.gnome.maintainers
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1150178    

Description Matthias Gerstner 2019-09-12 10:48:11 UTC
+++ This bug was initially created as a clone of Bug #1150178
As discussed in the proactive security team we want to catch up on the packages
shipping PAM modules that haven't been reviewed yet. Formerly there was no
badness for this type of rpmlint check. Right now the new review bot should
catch them.

libpwquality is one of the packages shipping a pam module (pam_pwquality) that
has not been reviewed yet.

The code should be reviewed and if all is well the pam module be whitelisted
in rpmlint.
Comment 1 Matthias Gerstner 2019-09-20 11:42:54 UTC
I will look into this.
Comment 2 Matthias Gerstner 2019-09-20 13:26:42 UTC
This is a small and simple PAM module that only acts in the passwd change
context to verify the quality of passwords according to various configuration
settings and dictionaries.

The code looks sane and shouldn't have and issues. I didn't look too closely
into what libpwquality itself does with the password. In the worst case it
would leak the password somehow but I sure hope this is not the case.
Comment 3 Matthias Gerstner 2019-12-16 13:25:18 UTC
I submitted this PAM module to the whitelisting in rpmlint. It should hit
Factory in a while.
Comment 4 Matthias Gerstner 2020-01-30 14:26:54 UTC
The whitelisting is by now in Factory, therefore I'm closing this bug as