Hi Sam, On Thu, Jan 18, 2024 at 08:41:29AM +0100, Salvatore Bonaccorso wrote: > Source: pam > Version: 1.5.2-9.1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > Control: found -1 1.5.2-6+deb12u1 > Control: found -1 1.5.2-6 > Control: found -1 1.4.0-9+deb11u1 > Control: found -1 1.4.0-9 > > Hi, > > The following vulnerability was published for pam. > > CVE-2024-22365[0]: > | pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS > | situations > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-22365 > https://www.cve.org/CVERecord?id=CVE-2024-22365 > [1] > https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb > [2] https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
Note the issue does not warrant a DSA, but ideally we have it fixed already in the upcoming point releases. I have prepared debdiffs to propose to SRM, see attached. But for that we would need first the fix to land into unstable. What would be the plan here? Would you move 1.6.0 soonish to unstable, 1.5.3-1 + CVE patch or rather do a patch on top of 1.5.2-9.1 in unstable? For the later I could propose based on the done work as well a NMU to unstable. The point release, though not yet announced, is planned for early in February, so hope we can manage it. Regards, Salvatore
diff -Nru pam-1.4.0/debian/changelog pam-1.4.0/debian/changelog --- pam-1.4.0/debian/changelog 2021-08-26 21:11:23.000000000 +0200 +++ pam-1.4.0/debian/changelog 2024-01-18 08:53:14.000000000 +0100 @@ -1,3 +1,11 @@ +pam (1.4.0-9+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload. + * pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS + situations (CVE-2024-22365) (Closes: #1061097) + + -- Salvatore Bonaccorso <[email protected]> Thu, 18 Jan 2024 08:53:14 +0100 + pam (1.4.0-9+deb11u1) bullseye; urgency=medium * Fix syntax error in libpam0g.postinst when a systemd unit fails, diff -Nru pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch --- pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch 1970-01-01 01:00:00.000000000 +0100 +++ pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch 2024-01-18 08:53:14.000000000 +0100 @@ -0,0 +1,60 @@ +From: Matthias Gerstner <[email protected]> +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS + situations +Origin: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb +Bug-Debian: https://bugs.debian.org/1061097 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22365 + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86da3..f72d6718901e 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { +-- +2.43.0 + diff -Nru pam-1.4.0/debian/patches/series pam-1.4.0/debian/patches/series --- pam-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ pam-1.4.0/debian/patches/series 2024-01-18 08:53:14.000000000 +0100 @@ -0,0 +1 @@ +pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
diff -Nru pam-1.5.2/debian/changelog pam-1.5.2/debian/changelog --- pam-1.5.2/debian/changelog 2023-09-21 22:55:12.000000000 +0200 +++ pam-1.5.2/debian/changelog 2024-01-18 08:49:41.000000000 +0100 @@ -1,3 +1,11 @@ +pam (1.5.2-6+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS + situations (CVE-2024-22365) (Closes: #1061097) + + -- Salvatore Bonaccorso <[email protected]> Thu, 18 Jan 2024 08:49:41 +0100 + pam (1.5.2-6+deb12u1) bookworm; urgency=medium * Fix pam-auth-update --disable logic error, Closes: #1039873 diff -Nru pam-1.5.2/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch pam-1.5.2/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch --- pam-1.5.2/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch 1970-01-01 01:00:00.000000000 +0100 +++ pam-1.5.2/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch 2024-01-18 08:49:41.000000000 +0100 @@ -0,0 +1,60 @@ +From: Matthias Gerstner <[email protected]> +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS + situations +Origin: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb +Bug-Debian: https://bugs.debian.org/1061097 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22365 + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86da3..f72d6718901e 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { +-- +2.43.0 + diff -Nru pam-1.5.2/debian/patches/series pam-1.5.2/debian/patches/series --- pam-1.5.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ pam-1.5.2/debian/patches/series 2024-01-18 08:49:41.000000000 +0100 @@ -0,0 +1 @@ +pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
