Bug 1150520 - AUDIT-1: libpwquality: review pam_pwquality not yet whitelisted in rpmlint
AUDIT-1: libpwquality: review pam_pwquality not yet whitelisted in rpmlint
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
:
Depends on:
Blocks: 1150178
  Show dependency treegraph
 
Reported: 2019-09-12 10:48 UTC by Matthias Gerstner
Modified: 2021-08-12 11:48 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 10:48:11 UTC
+++ This bug was initially created as a clone of Bug #1150178
As discussed in the proactive security team we want to catch up on the packages
shipping PAM modules that haven't been reviewed yet. Formerly there was no
badness for this type of rpmlint check. Right now the new review bot should
catch them.

libpwquality is one of the packages shipping a pam module (pam_pwquality) that
has not been reviewed yet.

The code should be reviewed and if all is well the pam module be whitelisted
in rpmlint.
Comment 1 Matthias Gerstner 2019-09-20 11:42:54 UTC
I will look into this.
Comment 2 Matthias Gerstner 2019-09-20 13:26:42 UTC
This is a small and simple PAM module that only acts in the passwd change
context to verify the quality of passwords according to various configuration
settings and dictionaries.

The code looks sane and shouldn't have and issues. I didn't look too closely
into what libpwquality itself does with the password. In the worst case it
would leak the password somehow but I sure hope this is not the case.
Comment 3 Matthias Gerstner 2019-12-16 13:25:18 UTC
I submitted this PAM module to the whitelisting in rpmlint. It should hit
Factory in a while.
Comment 4 Matthias Gerstner 2020-01-30 14:26:54 UTC
The whitelisting is by now in Factory, therefore I'm closing this bug as
FIXED.