Hi Sam,
On Thu, Jan 18, 2024 at 08:41:29AM +0100, Salvatore Bonaccorso wrote:
> Source: pam
> Version: 1.5.2-9.1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
> Control: found -1 1.5.2-6+deb12u1
> Control: found -1 1.5.2-6
> Control: found -1 1.4.0-9+deb11u1
> Control: found -1 1.4.0-9
>
> Hi,
>
> The following vulnerability was published for pam.
>
> CVE-2024-22365[0]:
> | pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
> | situations
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-22365
> https://www.cve.org/CVERecord?id=CVE-2024-22365
> [1]
> https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
> [2] https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
Note the issue does not warrant a DSA, but ideally we have it fixed
already in the upcoming point releases.
I have prepared debdiffs to propose to SRM, see attached.
But for that we would need first the fix to land into unstable. What
would be the plan here? Would you move 1.6.0 soonish to unstable,
1.5.3-1 + CVE patch or rather do a patch on top of 1.5.2-9.1 in
unstable? For the later I could propose based on the done work as well
a NMU to unstable.
The point release, though not yet announced, is planned for early in
February, so hope we can manage it.
Regards,
Salvatore
diff -Nru pam-1.4.0/debian/changelog pam-1.4.0/debian/changelog
--- pam-1.4.0/debian/changelog 2021-08-26 21:11:23.0 +0200
+++ pam-1.4.0/debian/changelog 2024-01-18 08:53:14.0 +0100
@@ -1,3 +1,11 @@
+pam (1.4.0-9+deb11u2) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
+situations (CVE-2024-22365) (Closes: #1061097)
+
+ -- Salvatore Bonaccorso Thu, 18 Jan 2024 08:53:14 +0100
+
pam (1.4.0-9+deb11u1) bullseye; urgency=medium
* Fix syntax error in libpam0g.postinst when a systemd unit fails,
diff -Nru
pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
---
pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
1970-01-01 01:00:00.0 +0100
+++
pam-1.4.0/debian/patches/pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
2024-01-18 08:53:14.0 +0100
@@ -0,0 +1,60 @@
+From: Matthias Gerstner
+Date: Wed, 27 Dec 2023 14:01:59 +0100
+Subject: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS
+ situations
+Origin:
https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
+Bug-Debian: https://bugs.debian.org/1061097
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22365
+
+Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
+being placed in user controlled directories, causing the PAM module to
+block indefinitely during `openat()`.
+
+Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
+refer to a directory.
+
+With this the check whether the final path element is a directory
+becomes unnecessary, drop it.
+---
+ modules/pam_namespace/pam_namespace.c | 18 +-
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.c
b/modules/pam_namespace/pam_namespace.c
+index 2528cff86da3..f72d6718901e 100644
+--- a/modules/pam_namespace/pam_namespace.c
b/modules/pam_namespace/pam_namespace.c
+@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode,
int do_mkdir,
+ int dfd = AT_FDCWD;
+ int dfd_next;
+ int save_errno;
+- int flags = O_RDONLY;
++ int flags = O_RDONLY | O_DIRECTORY;
+ int rv = -1;
+ struct stat st;
+
+@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode,
int do_mkdir,
+ rv = openat(dfd, dir, flags);
+ }
+
+- if (rv != -1) {
+- if (fstat(rv, ) != 0) {
+- save_errno = errno;
+- close(rv);
+- rv = -1;
+- errno = save_errno;
+- goto error;
+- }
+- if (!S_ISDIR(st.st_mode)) {
+- close(rv);
+- errno = ENOTDIR;
+- rv = -1;
+- goto error;
+- }
+- }
+-
+ if (flags & O_NOFOLLOW) {
+ /* we are inside user-owned dir - protect */
+ if (protect_mount(rv, p, idata) == -1) {
+--
+2.43.0
+
diff -Nru pam-1.4.0/debian/patches/series pam-1.4.0/debian/patches/series
--- pam-1.4.0/debian/patches/series 1970-01-01 01:00:00.0 +0100
+++
