libpam: Update fix for CVE-2024-10041

Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da. But not all cases were covered with this fix and issues were reported after the release. In the v1.6.1 release, PAM community fixed these issues via commit b7b9636. Backport this commit b7b9636, which Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries") Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620 (From OE-Core rev: 78a04ce17e7d828c0cf8cae2164882683d46275e) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Shubham Kulkarni <skulkarni@mvista.com> 2025-04-23 14:10:56 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-05-02 08:20:11 -0700
commit: 46aa1e0ebaf76ea4f0244e7034087d5b15b7936f (patch)
tree: 067b33b83b5f79b2fca310e2056b560413c84b25
parent: c162696dae5798e2ab1198403d0bc1d65d64068d (diff)
download: poky-46aa1e0ebaf76ea4f0244e7034087d5b15b7936f.tar.gz
3 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
index 41949cbf2a..41949cbf2a 100644
--- a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
new file mode 100644
index 0000000000..6070a26266
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
@@ -0,0 +1,77 @@
+From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 24 Jan 2024 18:57:42 +0100
+Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
+The geteuid check does not cover all cases. If a program runs with
+elevated capabilities like CAP_SETUID then we can still check
+credentials of other users.
+Keep logging for future analysis though.
+Resolves: https://github.com/linux-pam/linux-pam/issues/747
+Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
+CVE: CVE-2024-10041
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
+ modules/pam_unix/support.c       | 14 +++++++-------
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0df..7ffcb9e3f2 100644
+--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
+@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+       _exit(PAM_AUTHINFO_UNAVAIL);
+     }
+-    if (geteuid() == 0) {
+-      /* must set the real uid to 0 so the helper will not error
+-         out if pam is called from setuid binary (su, sudo...) */
+-      if (setuid(0) == -1) {
+-          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+-          printf("-1\n");
+-          fflush(stdout);
+-          _exit(PAM_AUTHINFO_UNAVAIL);
+    /* must set the real uid to 0 so the helper will not error
+       out if pam is called from setuid binary (su, sudo...) */
+    if (setuid(0) == -1) {
+      uid_t euid = geteuid();
+      pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
+      if (euid == 0) {
+       printf("-1\n");
+       fflush(stdout);
+       _exit(PAM_AUTHINFO_UNAVAIL);
+       }
+     }
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index d391973f95..69811048e6 100644
+--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
+@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+                _exit(PAM_AUTHINFO_UNAVAIL);
+        }
+-       if (geteuid() == 0) {
+-          /* must set the real uid to 0 so the helper will not error
+-            out if pam is called from setuid binary (su, sudo...) */
+-         if (setuid(0) == -1) {
+-             D(("setuid failed"));
+-            _exit(PAM_AUTHINFO_UNAVAIL);
+-          }
+       /* must set the real uid to 0 so the helper will not error
+          out if pam is called from setuid binary (su, sudo...) */
+       if (setuid(0) == -1) {
+          D(("setuid failed"));
+          if (geteuid() == 0) {
+             _exit(PAM_AUTHINFO_UNAVAIL);
+          }
+        }
+        /* exec binary helper */
diff --git a/meta/recipes-extended/pam/libpam_1.5.3.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb
index 55b4dd7ee1..714cdb6552 100644
--- a/meta/recipes-extended/pam/libpam_1.5.3.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -27,7 +27,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
           file://0001-pam_namespace-include-stdint-h.patch \
           file://0001-pam_pwhistory-fix-passing-NULL-filename-argument-to-.patch \
           file://CVE-2024-22365.patch \
-           file://CVE-2024-10041.patch \
+           file://CVE-2024-10041-1.patch \
+           file://CVE-2024-10041-2.patch \
           "
 SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"
author	Shubham Kulkarni <skulkarni@mvista.com>	2025-04-23 14:10:56 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-05-02 08:20:11 -0700
commit	46aa1e0ebaf76ea4f0244e7034087d5b15b7936f (patch)
tree	067b33b83b5f79b2fca310e2056b560413c84b25
parent	c162696dae5798e2ab1198403d0bc1d65d64068d (diff)
download	poky-46aa1e0ebaf76ea4f0244e7034087d5b15b7936f.tar.gz

diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch index 41949cbf2a..41949cbf2a 100644 --- a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch


diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch new file mode 100644 index 0000000000..6070a26266 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
@@ -0,0 +1,77 @@
		1	From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Wed, 24 Jan 2024 18:57:42 +0100
		4	Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
		5
		6	The geteuid check does not cover all cases. If a program runs with
		7	elevated capabilities like CAP_SETUID then we can still check
		8	credentials of other users.
		9
		10	Keep logging for future analysis though.
		11
		12	Resolves: https://github.com/linux-pam/linux-pam/issues/747
		13	Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
		14
		15	Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
		16
		17	Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
		18	CVE: CVE-2024-10041
		19	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		20	---
		21	modules/pam_unix/pam_unix_acct.c \| 17 +++++++++--------
		22	modules/pam_unix/support.c \| 14 +++++++-------
		23	2 files changed, 16 insertions(+), 15 deletions(-)
		24
		25	diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
		26	index 8f5ed3e0df..7ffcb9e3f2 100644
		27	--- a/modules/pam_unix/pam_unix_acct.c
		28	+++ b/modules/pam_unix/pam_unix_acct.c
		29	@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
		30	_exit(PAM_AUTHINFO_UNAVAIL);
		31	}
		32
		33	- if (geteuid() == 0) {
		34	- /* must set the real uid to 0 so the helper will not error
		35	- out if pam is called from setuid binary (su, sudo...) */
		36	- if (setuid(0) == -1) {
		37	- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
		38	- printf("-1\n");
		39	- fflush(stdout);
		40	- _exit(PAM_AUTHINFO_UNAVAIL);
		41	+ /* must set the real uid to 0 so the helper will not error
		42	+ out if pam is called from setuid binary (su, sudo...) */
		43	+ if (setuid(0) == -1) {
		44	+ uid_t euid = geteuid();
		45	+ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
		46	+ if (euid == 0) {
		47	+ printf("-1\n");
		48	+ fflush(stdout);
		49	+ _exit(PAM_AUTHINFO_UNAVAIL);
		50	}
		51	}
		52
		53	diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
		54	index d391973f95..69811048e6 100644
		55	--- a/modules/pam_unix/support.c
		56	+++ b/modules/pam_unix/support.c
		57	@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,
		58	_exit(PAM_AUTHINFO_UNAVAIL);
		59	}
		60
		61	- if (geteuid() == 0) {
		62	- /* must set the real uid to 0 so the helper will not error
		63	- out if pam is called from setuid binary (su, sudo...) */
		64	- if (setuid(0) == -1) {
		65	- D(("setuid failed"));
		66	- _exit(PAM_AUTHINFO_UNAVAIL);
		67	- }
		68	+ /* must set the real uid to 0 so the helper will not error
		69	+ out if pam is called from setuid binary (su, sudo...) */
		70	+ if (setuid(0) == -1) {
		71	+ D(("setuid failed"));
		72	+ if (geteuid() == 0) {
		73	+ _exit(PAM_AUTHINFO_UNAVAIL);
		74	+ }
		75	}
		76
		77	/* exec binary helper */


diff --git a/meta/recipes-extended/pam/libpam_1.5.3.bb b/meta/recipes-extended/pam/libpam_1.5.3.bb index 55b4dd7ee1..714cdb6552 100644 --- a/meta/recipes-extended/pam/libpam_1.5.3.bb +++ b/meta/recipes-extended/pam/libpam_1.5.3.bb
@@ -27,7 +27,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
27	file://0001-pam_namespace-include-stdint-h.patch \	27	file://0001-pam_namespace-include-stdint-h.patch \
28	file://0001-pam_pwhistory-fix-passing-NULL-filename-argument-to-.patch \	28	file://0001-pam_pwhistory-fix-passing-NULL-filename-argument-to-.patch \
29	file://CVE-2024-22365.patch \	29	file://CVE-2024-22365.patch \
30	file://CVE-2024-10041.patch \	30	file://CVE-2024-10041-1.patch \
		31	file://CVE-2024-10041-2.patch \
31	"	32	"
32		33
33	SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"	34	SRC_URI[sha256sum] = "7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283"