Bugzilla – Bug 1150520
AUDIT-1: libpwquality: review pam_pwquality not yet whitelisted in rpmlint
Last modified: 2021-08-12 11:48:29 UTC
+++ This bug was initially created as a clone of Bug #1150178 As discussed in the proactive security team we want to catch up on the packages shipping PAM modules that haven't been reviewed yet. Formerly there was no badness for this type of rpmlint check. Right now the new review bot should catch them. libpwquality is one of the packages shipping a pam module (pam_pwquality) that has not been reviewed yet. The code should be reviewed and if all is well the pam module be whitelisted in rpmlint.
I will look into this.
This is a small and simple PAM module that only acts in the passwd change context to verify the quality of passwords according to various configuration settings and dictionaries. The code looks sane and shouldn't have and issues. I didn't look too closely into what libpwquality itself does with the password. In the worst case it would leak the password somehow but I sure hope this is not the case.
I submitted this PAM module to the whitelisting in rpmlint. It should hit Factory in a while.
The whitelisting is by now in Factory, therefore I'm closing this bug as FIXED.