strange behaviour when password longer than 512 bytes

Pablo Hinojosa Nava pablohn6 at gmail.com
Fri Jun 3 15:43:43 UTC 2016 

I have seen a strange behaviour when I try to set a password longer than
512 bytes.

I guess because of CVE-2015-3238 the limit of the password was set to 512
bytes. That is why if I set a password of more than 512 bytes only first
512 are saved (maybe in this line
<https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/pam_unix_passwd.c#n313>).
The problem is the remaining characters. Using passwd, the rest of the
characters go outside the command and are interpreted by next command
(usually another prompt). That is why if you set, for example, this
password:

ThisisalooooooooooooongpasswordAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm0123456789012345678901234567890CVEecho
> "Hello"
>

that is, 512 random characters and then echo "Hello", passwd set the
password (only 512 characters) BUT the remaining characters are executed as
a command. So with that password, passwd will update the password and then
execute

echo "Hello"
>


[root at localhost ~]# passwd username
> Changing password for user username.
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
> [root at localhost ~]# echo "Hello"
> Hello
>

Why the remaining characters are executed? Why do not drop them? How can I
manage them to prevent being interpreted by next command?

Cheers,

Pablo Hinojosa.    CC58B86B
<https://pgp.mit.edu/pks/lookup?op=get&search=0x947319E2CC58B86B>
PabloHinojosa.is
<http://pablohinojosa.is/this?utm_source=firma&utm_medium=correo&utm_campaign=firma>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20160603/1e3126d4/attachment.htm>

More information about the Pam-list mailing list