Bug#932522: buster-pu: package pam-u2f/1.0.7-1
On Tue, Aug 20, 2019 at 09:27:45PM +0100, Adam D. Barratt wrote: > On Tue, 2019-08-13 at 01:15 +0200, Nicolas Braud-Santoni wrote: > > Fixed, thanks for the catch. > > May I go ahead and upload? Updated debdiff attached > > Please do. Done, thanks again :) Best, nicoo signature.asc Description: PGP signature
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: tags -1 + confirmed On Tue, 2019-08-13 at 01:15 +0200, Nicolas Braud-Santoni wrote: [...] > On Fri, Jul 26, 2019 at 04:13:20PM -0300, Adam D. Barratt wrote: > > On 2019-07-20 11:15, Nicolas Braud-Santoni wrote: > > > Here is an updated debdiff; the only modification is in the > > > changelog, > > > as I forgot to close #930047 there. > > > > + * Backport a reliability fix > > +pam-u2f could previously segfault following a failure to > > allocate a > > buffer. > > > > I assume this is backported from the version of the package > > currently in unstable? > > Yes, all the fixes are backported from upstream's 1.0.8, which is > currently in sid and bullseye. [...] > > +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high > > > > Just "buster", please. > > Fixed, thanks for the catch. > May I go ahead and upload? Updated debdiff attached Please do. Regards, Adam
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: tags -1 - moreinfo Hi Adam, Sorry for the slow reply, I got my other -pu uploads through the finish line and forgot I had another one inflight >_>' On Fri, Jul 26, 2019 at 04:13:20PM -0300, Adam D. Barratt wrote: > On 2019-07-20 11:15, Nicolas Braud-Santoni wrote: > > Here is an updated debdiff; the only modification is in the changelog, > > as I forgot to close #930047 there. > > + * Backport a reliability fix > +pam-u2f could previously segfault following a failure to allocate a > buffer. > > I assume this is backported from the version of the package currently in > unstable? Yes, all the fixes are backported from upstream's 1.0.8, which is currently in sid and bullseye. The backporting itself was simply cherry-picking the correct commits: upstream's latest release mostly just included those changes (plus a huge diff due to regenerating the build system with a more recent version of autotools; obviously I didn't include that). > +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high > > Just "buster", please. Fixed, thanks for the catch. May I go ahead and upload? Updated debdiff attached. Best, nicoo diff -Nru pam-u2f-1.0.7/debian/changelog pam-u2f-1.0.7/debian/changelog --- pam-u2f-1.0.7/debian/changelog 2018-05-29 14:33:06.0 +0200 +++ pam-u2f-1.0.7/debian/changelog 2019-08-13 01:06:31.0 +0200 @@ -1,3 +1,15 @@ +pam-u2f (1.0.7-1+deb10u1) buster; urgency=high + + * Backport multiple security fixes + + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021) + + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023) + + Fix a non-critical buffer out-of-bounds access. (Closes: #930047) + + * Backport a reliability fix +pam-u2f could previously segfault following a failure to allocate a buffer. + + -- Nicolas Braud-Santoni Tue, 13 Aug 2019 01:06:31 +0200 + pam-u2f (1.0.7-1) unstable; urgency=high * New upstream version 1.0.7 (2018-05-15) diff -Nru pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch --- pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 1970-01-01 01:00:00.0 +0100 +++ pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 2019-08-13 01:06:31.0 +0200 @@ -0,0 +1,164 @@ +Subject: Do not leak file descriptor when doing exec + +When opening a custom debug file, the descriptor would stay +open when calling exec and leak to the child process. + +Make sure all files are opened with close-on-exec. + +This fixes CVE-2019-12210. + +Thanks to Matthias Gerstner of the SUSE Security Team for reporting +the issue. +--- + pam-u2f.c | 35 +-- + util.c| 10 +++--- + util.h| 3 ++- + 3 files changed, 34 insertions(+), 14 deletions(-) + +diff --git a/pam-u2f.c b/pam-u2f.c +index 55d5708..071d005 100644 +Origin: commit:18b1914e32b74ff52000f10e97067e841e5fff62 +Bug: 930023 +From: Gabriel Kihlman +Reviewed-by: Nicolas Braud-Santoni +Last-Update: 2019-07-20 +Applied-Upstream: b0c6b7216f064e051c1dd42629ca062f721eea5f + +--- a/pam-u2f.c b/pam-u2f.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014-2018 Yubico AB - See COPYING ++ * Copyright (C) 2014-2019 Yubico AB - See COPYING + */ + + /* Define which PAM interfaces we provide */ +@@ -31,7 +31,11 @@ char *secure_getenv(const char *name) { + #endif + + static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { ++ struct stat st; ++ FILE *file = NULL; ++ int fd = -1; + int i; ++ + memset(cfg, 0, sizeof(cfg_t)); + cfg->debug_file = stderr; + +@@ -76,14 +80,14 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { + cfg->debug_file = (FILE *)-1; + } + else { +-struct stat st; +-FILE *file; +-if(lstat(filename, ) == 0) { +- if(S_ISREG(st.st_mode)) { +-file = fopen(filename, "a"); +-if(file != NULL) { +- cfg->debug_file = file; +-} ++fd = open(filename, O_WRONLY | O_APPEND | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY); ++if (fd >= 0 && (fstat(fd, ) == 0) && S_ISREG(st.st_mode)) { ++ file = fdopen(fd, "a"); ++ if(file != NULL) { ++cfg->debug_file = file; ++cfg->is_custom_debug_file = 1; ++file = NULL; ++fd = -1; + } + } + } +@@ -111,6 +115,12 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { + D(cfg->debug_file, "appid=%s", cfg->appid ? cfg->appid : "(null)"); + D(cfg->debug_file, "prompt=%s", cfg->prompt ? cfg->prompt : "(null)"); + } ++ ++ if (fd != -1) ++close(fd); ++ ++ if (file != NULL) ++fclose(file); + } + + #ifdef DBG +@@ -317,7 +327,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, + DBG("Using file
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: tags -1 + moreinfo On 2019-07-20 11:15, Nicolas Braud-Santoni wrote: Control: block 930047 by -1 Here is an updated debdiff; the only modification is in the changelog, as I forgot to close #930047 there. + * Backport a reliability fix +pam-u2f could previously segfault following a failure to allocate a buffer. I assume this is backported from the version of the package currently in unstable? +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high Just "buster", please. Regards, Adam
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: block 930047 by -1 Here is an updated debdiff; the only modification is in the changelog, as I forgot to close #930047 there. Best, nicoo diff -Nru pam-u2f-1.0.7/debian/changelog pam-u2f-1.0.7/debian/changelog --- pam-u2f-1.0.7/debian/changelog 2018-05-29 14:33:06.0 +0200 +++ pam-u2f-1.0.7/debian/changelog 2019-07-20 16:10:16.0 +0200 @@ -1,3 +1,15 @@ +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high + + * Backport multiple security fixes + + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021) + + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023) + + Fix a non-critical buffer out-of-bounds access. (Closes: #930047) + + * Backport a reliability fix +pam-u2f could previously segfault following a failure to allocate a buffer. + + -- Nicolas Braud-Santoni Sat, 20 Jul 2019 16:10:16 +0200 + pam-u2f (1.0.7-1) unstable; urgency=high * New upstream version 1.0.7 (2018-05-15) diff -Nru pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch --- pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 1970-01-01 01:00:00.0 +0100 +++ pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 2019-07-20 16:10:16.0 +0200 @@ -0,0 +1,164 @@ +Subject: Do not leak file descriptor when doing exec + +When opening a custom debug file, the descriptor would stay +open when calling exec and leak to the child process. + +Make sure all files are opened with close-on-exec. + +This fixes CVE-2019-12210. + +Thanks to Matthias Gerstner of the SUSE Security Team for reporting +the issue. +--- + pam-u2f.c | 35 +-- + util.c| 10 +++--- + util.h| 3 ++- + 3 files changed, 34 insertions(+), 14 deletions(-) + +diff --git a/pam-u2f.c b/pam-u2f.c +index 55d5708..071d005 100644 +Origin: commit:18b1914e32b74ff52000f10e97067e841e5fff62 +Bug: 930023 +From: Gabriel Kihlman +Reviewed-by: Nicolas Braud-Santoni +Last-Update: 2019-07-20 +Applied-Upstream: b0c6b7216f064e051c1dd42629ca062f721eea5f + +--- a/pam-u2f.c b/pam-u2f.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014-2018 Yubico AB - See COPYING ++ * Copyright (C) 2014-2019 Yubico AB - See COPYING + */ + + /* Define which PAM interfaces we provide */ +@@ -31,7 +31,11 @@ char *secure_getenv(const char *name) { + #endif + + static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { ++ struct stat st; ++ FILE *file = NULL; ++ int fd = -1; + int i; ++ + memset(cfg, 0, sizeof(cfg_t)); + cfg->debug_file = stderr; + +@@ -76,14 +80,14 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { + cfg->debug_file = (FILE *)-1; + } + else { +-struct stat st; +-FILE *file; +-if(lstat(filename, ) == 0) { +- if(S_ISREG(st.st_mode)) { +-file = fopen(filename, "a"); +-if(file != NULL) { +- cfg->debug_file = file; +-} ++fd = open(filename, O_WRONLY | O_APPEND | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY); ++if (fd >= 0 && (fstat(fd, ) == 0) && S_ISREG(st.st_mode)) { ++ file = fdopen(fd, "a"); ++ if(file != NULL) { ++cfg->debug_file = file; ++cfg->is_custom_debug_file = 1; ++file = NULL; ++fd = -1; + } + } + } +@@ -111,6 +115,12 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { + D(cfg->debug_file, "appid=%s", cfg->appid ? cfg->appid : "(null)"); + D(cfg->debug_file, "prompt=%s", cfg->prompt ? cfg->prompt : "(null)"); + } ++ ++ if (fd != -1) ++close(fd); ++ ++ if (file != NULL) ++fclose(file); + } + + #ifdef DBG +@@ -317,7 +327,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, + DBG("Using file '%s' for emitting touch request notifications", cfg->authpending_file); + + // Open (or create) the authpending_file to indicate that we start waiting for a touch +-authpending_file_descriptor = open(cfg->authpending_file, O_RDONLY | O_CREAT, 0664); ++authpending_file_descriptor = ++ open(cfg->authpending_file, O_RDONLY | O_CREAT | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY, 0664); + if (authpending_file_descriptor < 0) { + DBG("Unable to emit 'authentication started' notification by opening the file '%s', (%s)", + cfg->authpending_file, strerror(errno)); +@@ -385,6 +396,10 @@ done: + } + DBG("done. [%s]", pam_strerror(pamh, retval)); + ++ if (cfg->is_custom_debug_file) { ++fclose(cfg->debug_file); ++ } ++ + return retval; + } + +diff --git a/util.c b/util.c +index e7d8ecc..c17a0e6 100644 +--- a/util.c b/util.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014-2018 Yubico AB - See COPYING ++ * Copyright (C)
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Package: release.debian.org Severity: normal Tags: buster security User: release.debian@packages.debian.org Usertags: pu Control: block 930021 by -1 Control: block 930023 by -1 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I prepared a proposed update for pam-u2f, backporting fixes from upstream: * multiple security fixes + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021) + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023) + Fix a non-critical buffer out-of-bounds access. * reliability fix pam-u2f could previously segfault following a failure to allocate a buffer. Regarding the security fixes, Salvatore stated in #931991 that the issues do not warrant issuing a DSA, making them elligible for a fix via -pu. Please find the debdiff attached. Best, nicoo - -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0y/UERHG5pY29vQGRl Ymlhbi5vcmcACgkQ5vmO4pLV7MtAiBAAqhUt6lU/n5LFHqairAg5msDvEZ7IvyJf dH/yqFj2StXU6K6UBnz4nO0rc3z25+NEa/IkRxnJdIoxhEFULhg1nBKlM+VSWdUw HvKIJ0q5VV5iNY9U6XG9gXu2CHVlxMrMwhmrv2d37Pmu40AUcvRfWYWQUOgoLKHf R2/ydppF+UpxRJVo6DkgaNJwl/Eb/K2M8Ghq51hivPBB7xiTAXP9XW0tydSBe0SU WDgBexfxf53dfGgSqNovoLCFpikQHRnF5Kr46Lwy94YiDMwnGHPwsEFSNBTtzFEv YJvtRGT3Vu09Emp1w1fT7JRbYzuc0VYm47dA8KWN3t4QnPaVovfv7wGGtQU3enic 9xZGlvrscOBeP6LNuICCdSwmsmrvWiFH9HQD/aamOSJTDrV1R93SpJPnpIXctPjw sEsWB8zXDfPkHfrCl/XxY1SuxpcIY1FJbsyfuh5uIL5y5b9BSYoyUjel8HkmSQWE Nvc4IWl4AoFIwc/i3JwdPFUk34Kj79ogQitjrhVHQc78uFivUaHmvp5Kkhn/fe+4 bdEBPXLpxwUlS49XzjVPA3nhtnZrLotaqUxpMVdQV4P/8e7UEyILDgCe0SRRLQ2w BSbMBsYrRHCQQvvqeV1taIB/UvRcQY8UPSQrYOe1rkNBYWX8K4yDJnZlPng9gBcJ VJu/aURTTD4= =Gn9T -END PGP SIGNATURE- diff -Nru pam-u2f-1.0.7/debian/changelog pam-u2f-1.0.7/debian/changelog --- pam-u2f-1.0.7/debian/changelog 2018-05-29 14:33:06.0 +0200 +++ pam-u2f-1.0.7/debian/changelog 2019-07-20 13:29:57.0 +0200 @@ -1,3 +1,15 @@ +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high + + * Backport multiple security fixes + + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021) + + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023) + + Fix a non-critical buffer out-of-bounds access. + + * Backport a reliability fix +pam-u2f could previously segfault following a failure to allocate a buffer. + + -- Nicolas Braud-Santoni Sat, 20 Jul 2019 13:29:57 +0200 + pam-u2f (1.0.7-1) unstable; urgency=high * New upstream version 1.0.7 (2018-05-15) diff -Nru pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch --- pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 1970-01-01 01:00:00.0 +0100 +++ pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 2019-07-20 13:29:57.0 +0200 @@ -0,0 +1,164 @@ +Subject: Do not leak file descriptor when doing exec + +When opening a custom debug file, the descriptor would stay +open when calling exec and leak to the child process. + +Make sure all files are opened with close-on-exec. + +This fixes CVE-2019-12210. + +Thanks to Matthias Gerstner of the SUSE Security Team for reporting +the issue. +--- + pam-u2f.c | 35 +-- + util.c| 10 +++--- + util.h| 3 ++- + 3 files changed, 34 insertions(+), 14 deletions(-) + +diff --git a/pam-u2f.c b/pam-u2f.c +index 55d5708..071d005 100644 +Origin: commit:18b1914e32b74ff52000f10e97067e841e5fff62 +Bug: 930023 +From: Gabriel Kihlman +Reviewed-by: Nicolas Braud-Santoni +Last-Update: 2019-07-20 +Applied-Upstream: b0c6b7216f064e051c1dd42629ca062f721eea5f + +--- a/pam-u2f.c b/pam-u2f.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014-2018 Yubico AB - See COPYING ++ * Copyright (C) 2014-2019 Yubico AB - See COPYING + */ + + /* Define which PAM interfaces we provide */ +@@ -31,7 +31,11 @@ char *secure_getenv(const char *name) { + #endif + + static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { ++ struct stat st; ++ FILE *file = NULL; ++ int fd = -1; + int i; ++ + memset(cfg, 0, sizeof(cfg_t)); + cfg->debug_file = stderr; + +@@ -76,14 +80,14 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { + cfg->debug_file =