Bug#932522: buster-pu: package pam-u2f/1.0.7-1
On Tue, Aug 20, 2019 at 09:27:45PM +0100, Adam D. Barratt wrote: > On Tue, 2019-08-13 at 01:15 +0200, Nicolas Braud-Santoni wrote: > > Fixed, thanks for the catch. > > May I go ahead and upload? Updated debdiff attached > > Please do. Done, thanks again :) Best, nicoo signature.asc Description: PGP signature
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: tags -1 + confirmed On Tue, 2019-08-13 at 01:15 +0200, Nicolas Braud-Santoni wrote: [...] > On Fri, Jul 26, 2019 at 04:13:20PM -0300, Adam D. Barratt wrote: > > On 2019-07-20 11:15, Nicolas Braud-Santoni wrote: > > > Here is an updated debdiff; the only modification is in the > > > changelog, > > > as I forgot to close #930047 there. > > > > + * Backport a reliability fix > > +pam-u2f could previously segfault following a failure to > > allocate a > > buffer. > > > > I assume this is backported from the version of the package > > currently in unstable? > > Yes, all the fixes are backported from upstream's 1.0.8, which is > currently in sid and bullseye. [...] > > +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high > > > > Just "buster", please. > > Fixed, thanks for the catch. > May I go ahead and upload? Updated debdiff attached Please do. Regards, Adam
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: tags -1 - moreinfo
Hi Adam,
Sorry for the slow reply, I got my other -pu uploads through the finish
line and forgot I had another one inflight >_>'
On Fri, Jul 26, 2019 at 04:13:20PM -0300, Adam D. Barratt wrote:
> On 2019-07-20 11:15, Nicolas Braud-Santoni wrote:
> > Here is an updated debdiff; the only modification is in the changelog,
> > as I forgot to close #930047 there.
>
> + * Backport a reliability fix
> +pam-u2f could previously segfault following a failure to allocate a
> buffer.
>
> I assume this is backported from the version of the package currently in
> unstable?
Yes, all the fixes are backported from upstream's 1.0.8, which is currently in
sid and bullseye.
The backporting itself was simply cherry-picking the correct commits: upstream's
latest release mostly just included those changes (plus a huge diff due to
regenerating the build system with a more recent version of autotools; obviously
I didn't include that).
> +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high
>
> Just "buster", please.
Fixed, thanks for the catch.
May I go ahead and upload? Updated debdiff attached.
Best,
nicoo
diff -Nru pam-u2f-1.0.7/debian/changelog pam-u2f-1.0.7/debian/changelog
--- pam-u2f-1.0.7/debian/changelog 2018-05-29 14:33:06.0 +0200
+++ pam-u2f-1.0.7/debian/changelog 2019-08-13 01:06:31.0 +0200
@@ -1,3 +1,15 @@
+pam-u2f (1.0.7-1+deb10u1) buster; urgency=high
+
+ * Backport multiple security fixes
+ + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021)
+ + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023)
+ + Fix a non-critical buffer out-of-bounds access. (Closes: #930047)
+
+ * Backport a reliability fix
+pam-u2f could previously segfault following a failure to allocate a buffer.
+
+ -- Nicolas Braud-Santoni Tue, 13 Aug 2019 01:06:31 +0200
+
pam-u2f (1.0.7-1) unstable; urgency=high
* New upstream version 1.0.7 (2018-05-15)
diff -Nru pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
--- pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 1970-01-01 01:00:00.0 +0100
+++ pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch 2019-08-13 01:06:31.0 +0200
@@ -0,0 +1,164 @@
+Subject: Do not leak file descriptor when doing exec
+
+When opening a custom debug file, the descriptor would stay
+open when calling exec and leak to the child process.
+
+Make sure all files are opened with close-on-exec.
+
+This fixes CVE-2019-12210.
+
+Thanks to Matthias Gerstner of the SUSE Security Team for reporting
+the issue.
+---
+ pam-u2f.c | 35 +--
+ util.c| 10 +++---
+ util.h| 3 ++-
+ 3 files changed, 34 insertions(+), 14 deletions(-)
+
+diff --git a/pam-u2f.c b/pam-u2f.c
+index 55d5708..071d005 100644
+Origin: commit:18b1914e32b74ff52000f10e97067e841e5fff62
+Bug: 930023
+From: Gabriel Kihlman
+Reviewed-by: Nicolas Braud-Santoni
+Last-Update: 2019-07-20
+Applied-Upstream: b0c6b7216f064e051c1dd42629ca062f721eea5f
+
+--- a/pam-u2f.c
b/pam-u2f.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2014-2018 Yubico AB - See COPYING
++ * Copyright (C) 2014-2019 Yubico AB - See COPYING
+ */
+
+ /* Define which PAM interfaces we provide */
+@@ -31,7 +31,11 @@ char *secure_getenv(const char *name) {
+ #endif
+
+ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
++ struct stat st;
++ FILE *file = NULL;
++ int fd = -1;
+ int i;
++
+ memset(cfg, 0, sizeof(cfg_t));
+ cfg->debug_file = stderr;
+
+@@ -76,14 +80,14 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
+ cfg->debug_file = (FILE *)-1;
+ }
+ else {
+-struct stat st;
+-FILE *file;
+-if(lstat(filename, ) == 0) {
+- if(S_ISREG(st.st_mode)) {
+-file = fopen(filename, "a");
+-if(file != NULL) {
+- cfg->debug_file = file;
+-}
++fd = open(filename, O_WRONLY | O_APPEND | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY);
++if (fd >= 0 && (fstat(fd, ) == 0) && S_ISREG(st.st_mode)) {
++ file = fdopen(fd, "a");
++ if(file != NULL) {
++cfg->debug_file = file;
++cfg->is_custom_debug_file = 1;
++file = NULL;
++fd = -1;
+ }
+ }
+ }
+@@ -111,6 +115,12 @@ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
+ D(cfg->debug_file, "appid=%s", cfg->appid ? cfg->appid : "(null)");
+ D(cfg->debug_file, "prompt=%s", cfg->prompt ? cfg->prompt : "(null)");
+ }
++
++ if (fd != -1)
++close(fd);
++
++ if (file != NULL)
++fclose(file);
+ }
+
+ #ifdef DBG
+@@ -317,7 +327,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+ DBG("Using file
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: tags -1 + moreinfo On 2019-07-20 11:15, Nicolas Braud-Santoni wrote: Control: block 930047 by -1 Here is an updated debdiff; the only modification is in the changelog, as I forgot to close #930047 there. + * Backport a reliability fix +pam-u2f could previously segfault following a failure to allocate a buffer. I assume this is backported from the version of the package currently in unstable? +pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high Just "buster", please. Regards, Adam
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Control: block 930047 by -1
Here is an updated debdiff; the only modification is in the changelog,
as I forgot to close #930047 there.
Best,
nicoo
diff -Nru pam-u2f-1.0.7/debian/changelog pam-u2f-1.0.7/debian/changelog
--- pam-u2f-1.0.7/debian/changelog 2018-05-29 14:33:06.0 +0200
+++ pam-u2f-1.0.7/debian/changelog 2019-07-20 16:10:16.0 +0200
@@ -1,3 +1,15 @@
+pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high
+
+ * Backport multiple security fixes
+ + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021)
+ + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023)
+ + Fix a non-critical buffer out-of-bounds access. (Closes: #930047)
+
+ * Backport a reliability fix
+pam-u2f could previously segfault following a failure to allocate a buffer.
+
+ -- Nicolas Braud-Santoni Sat, 20 Jul 2019 16:10:16 +0200
+
pam-u2f (1.0.7-1) unstable; urgency=high
* New upstream version 1.0.7 (2018-05-15)
diff -Nru
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
---
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
1970-01-01 01:00:00.0 +0100
+++
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
2019-07-20 16:10:16.0 +0200
@@ -0,0 +1,164 @@
+Subject: Do not leak file descriptor when doing exec
+
+When opening a custom debug file, the descriptor would stay
+open when calling exec and leak to the child process.
+
+Make sure all files are opened with close-on-exec.
+
+This fixes CVE-2019-12210.
+
+Thanks to Matthias Gerstner of the SUSE Security Team for reporting
+the issue.
+---
+ pam-u2f.c | 35 +--
+ util.c| 10 +++---
+ util.h| 3 ++-
+ 3 files changed, 34 insertions(+), 14 deletions(-)
+
+diff --git a/pam-u2f.c b/pam-u2f.c
+index 55d5708..071d005 100644
+Origin: commit:18b1914e32b74ff52000f10e97067e841e5fff62
+Bug: 930023
+From: Gabriel Kihlman
+Reviewed-by: Nicolas Braud-Santoni
+Last-Update: 2019-07-20
+Applied-Upstream: b0c6b7216f064e051c1dd42629ca062f721eea5f
+
+--- a/pam-u2f.c
b/pam-u2f.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2014-2018 Yubico AB - See COPYING
++ * Copyright (C) 2014-2019 Yubico AB - See COPYING
+ */
+
+ /* Define which PAM interfaces we provide */
+@@ -31,7 +31,11 @@ char *secure_getenv(const char *name) {
+ #endif
+
+ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
++ struct stat st;
++ FILE *file = NULL;
++ int fd = -1;
+ int i;
++
+ memset(cfg, 0, sizeof(cfg_t));
+ cfg->debug_file = stderr;
+
+@@ -76,14 +80,14 @@ static void parse_cfg(int flags, int argc, const char
**argv, cfg_t *cfg) {
+ cfg->debug_file = (FILE *)-1;
+ }
+ else {
+-struct stat st;
+-FILE *file;
+-if(lstat(filename, ) == 0) {
+- if(S_ISREG(st.st_mode)) {
+-file = fopen(filename, "a");
+-if(file != NULL) {
+- cfg->debug_file = file;
+-}
++fd = open(filename, O_WRONLY | O_APPEND | O_CLOEXEC | O_NOFOLLOW |
O_NOCTTY);
++if (fd >= 0 && (fstat(fd, ) == 0) && S_ISREG(st.st_mode)) {
++ file = fdopen(fd, "a");
++ if(file != NULL) {
++cfg->debug_file = file;
++cfg->is_custom_debug_file = 1;
++file = NULL;
++fd = -1;
+ }
+ }
+ }
+@@ -111,6 +115,12 @@ static void parse_cfg(int flags, int argc, const char
**argv, cfg_t *cfg) {
+ D(cfg->debug_file, "appid=%s", cfg->appid ? cfg->appid : "(null)");
+ D(cfg->debug_file, "prompt=%s", cfg->prompt ? cfg->prompt : "(null)");
+ }
++
++ if (fd != -1)
++close(fd);
++
++ if (file != NULL)
++fclose(file);
+ }
+
+ #ifdef DBG
+@@ -317,7 +327,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int
argc,
+ DBG("Using file '%s' for emitting touch request notifications",
cfg->authpending_file);
+
+ // Open (or create) the authpending_file to indicate that we start
waiting for a touch
+-authpending_file_descriptor = open(cfg->authpending_file, O_RDONLY |
O_CREAT, 0664);
++authpending_file_descriptor =
++ open(cfg->authpending_file, O_RDONLY | O_CREAT | O_CLOEXEC | O_NOFOLLOW
| O_NOCTTY, 0664);
+ if (authpending_file_descriptor < 0) {
+ DBG("Unable to emit 'authentication started' notification by opening
the file '%s', (%s)",
+ cfg->authpending_file, strerror(errno));
+@@ -385,6 +396,10 @@ done:
+ }
+ DBG("done. [%s]", pam_strerror(pamh, retval));
+
++ if (cfg->is_custom_debug_file) {
++fclose(cfg->debug_file);
++ }
++
+ return retval;
+ }
+
+diff --git a/util.c b/util.c
+index e7d8ecc..c17a0e6 100644
+--- a/util.c
b/util.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2014-2018 Yubico AB - See COPYING
++ * Copyright (C)
Bug#932522: buster-pu: package pam-u2f/1.0.7-1
Package: release.debian.org
Severity: normal
Tags: buster security
User: release.debian@packages.debian.org
Usertags: pu
Control: block 930021 by -1
Control: block 930023 by -1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Dear release team,
I prepared a proposed update for pam-u2f, backporting fixes from upstream:
* multiple security fixes
+ Fix insecure debug file handling CVE-2019-12209. (Closes: #930021)
+ Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023)
+ Fix a non-critical buffer out-of-bounds access.
* reliability fix
pam-u2f could previously segfault following a failure to allocate a buffer.
Regarding the security fixes, Salvatore stated in #931991 that the issues do not
warrant issuing a DSA, making them elligible for a fix via -pu.
Please find the debdiff attached.
Best,
nicoo
- -- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-BEGIN PGP SIGNATURE-
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0y/UERHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7MtAiBAAqhUt6lU/n5LFHqairAg5msDvEZ7IvyJf
dH/yqFj2StXU6K6UBnz4nO0rc3z25+NEa/IkRxnJdIoxhEFULhg1nBKlM+VSWdUw
HvKIJ0q5VV5iNY9U6XG9gXu2CHVlxMrMwhmrv2d37Pmu40AUcvRfWYWQUOgoLKHf
R2/ydppF+UpxRJVo6DkgaNJwl/Eb/K2M8Ghq51hivPBB7xiTAXP9XW0tydSBe0SU
WDgBexfxf53dfGgSqNovoLCFpikQHRnF5Kr46Lwy94YiDMwnGHPwsEFSNBTtzFEv
YJvtRGT3Vu09Emp1w1fT7JRbYzuc0VYm47dA8KWN3t4QnPaVovfv7wGGtQU3enic
9xZGlvrscOBeP6LNuICCdSwmsmrvWiFH9HQD/aamOSJTDrV1R93SpJPnpIXctPjw
sEsWB8zXDfPkHfrCl/XxY1SuxpcIY1FJbsyfuh5uIL5y5b9BSYoyUjel8HkmSQWE
Nvc4IWl4AoFIwc/i3JwdPFUk34Kj79ogQitjrhVHQc78uFivUaHmvp5Kkhn/fe+4
bdEBPXLpxwUlS49XzjVPA3nhtnZrLotaqUxpMVdQV4P/8e7UEyILDgCe0SRRLQ2w
BSbMBsYrRHCQQvvqeV1taIB/UvRcQY8UPSQrYOe1rkNBYWX8K4yDJnZlPng9gBcJ
VJu/aURTTD4=
=Gn9T
-END PGP SIGNATURE-
diff -Nru pam-u2f-1.0.7/debian/changelog pam-u2f-1.0.7/debian/changelog
--- pam-u2f-1.0.7/debian/changelog 2018-05-29 14:33:06.0 +0200
+++ pam-u2f-1.0.7/debian/changelog 2019-07-20 13:29:57.0 +0200
@@ -1,3 +1,15 @@
+pam-u2f (1.0.7-1+deb10u1) buster-proposed-updates; urgency=high
+
+ * Backport multiple security fixes
+ + Fix insecure debug file handling CVE-2019-12209. (Closes: #930021)
+ + Fix debug file descriptor leak CVE-2019-12210. (Closes: #930023)
+ + Fix a non-critical buffer out-of-bounds access.
+
+ * Backport a reliability fix
+pam-u2f could previously segfault following a failure to allocate a buffer.
+
+ -- Nicolas Braud-Santoni Sat, 20 Jul 2019 13:29:57 +0200
+
pam-u2f (1.0.7-1) unstable; urgency=high
* New upstream version 1.0.7 (2018-05-15)
diff -Nru
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
---
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
1970-01-01 01:00:00.0 +0100
+++
pam-u2f-1.0.7/debian/patches/0001-Do-not-leak-file-descriptor-when-doing-exec.patch
2019-07-20 13:29:57.0 +0200
@@ -0,0 +1,164 @@
+Subject: Do not leak file descriptor when doing exec
+
+When opening a custom debug file, the descriptor would stay
+open when calling exec and leak to the child process.
+
+Make sure all files are opened with close-on-exec.
+
+This fixes CVE-2019-12210.
+
+Thanks to Matthias Gerstner of the SUSE Security Team for reporting
+the issue.
+---
+ pam-u2f.c | 35 +--
+ util.c| 10 +++---
+ util.h| 3 ++-
+ 3 files changed, 34 insertions(+), 14 deletions(-)
+
+diff --git a/pam-u2f.c b/pam-u2f.c
+index 55d5708..071d005 100644
+Origin: commit:18b1914e32b74ff52000f10e97067e841e5fff62
+Bug: 930023
+From: Gabriel Kihlman
+Reviewed-by: Nicolas Braud-Santoni
+Last-Update: 2019-07-20
+Applied-Upstream: b0c6b7216f064e051c1dd42629ca062f721eea5f
+
+--- a/pam-u2f.c
b/pam-u2f.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2014-2018 Yubico AB - See COPYING
++ * Copyright (C) 2014-2019 Yubico AB - See COPYING
+ */
+
+ /* Define which PAM interfaces we provide */
+@@ -31,7 +31,11 @@ char *secure_getenv(const char *name) {
+ #endif
+
+ static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) {
++ struct stat st;
++ FILE *file = NULL;
++ int fd = -1;
+ int i;
++
+ memset(cfg, 0, sizeof(cfg_t));
+ cfg->debug_file = stderr;
+
+@@ -76,14 +80,14 @@ static void parse_cfg(int flags, int argc, const char
**argv, cfg_t *cfg) {
+ cfg->debug_file =
