3 files changed, 79 insertions, 1 deletions
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
index cb0490299b..cb0490299b 100644
--- a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
new file mode 100644
index 0000000000..6070a26266
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
@@ -0,0 +1,77 @@
+From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed, 24 Jan 2024 18:57:42 +0100
+Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
+The geteuid check does not cover all cases. If a program runs with
+elevated capabilities like CAP_SETUID then we can still check
+credentials of other users.
+Keep logging for future analysis though.
+Resolves: https://github.com/linux-pam/linux-pam/issues/747
+Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
+CVE: CVE-2024-10041
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
+ modules/pam_unix/support.c       | 14 +++++++-------
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index 8f5ed3e0df..7ffcb9e3f2 100644
+--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
+@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
+       _exit(PAM_AUTHINFO_UNAVAIL);
+     }
+-    if (geteuid() == 0) {
+-      /* must set the real uid to 0 so the helper will not error
+-         out if pam is called from setuid binary (su, sudo...) */
+-      if (setuid(0) == -1) {
+-          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+-          printf("-1\n");
+-          fflush(stdout);
+-          _exit(PAM_AUTHINFO_UNAVAIL);
+    /* must set the real uid to 0 so the helper will not error
+       out if pam is called from setuid binary (su, sudo...) */
+    if (setuid(0) == -1) {
+      uid_t euid = geteuid();
+      pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
+      if (euid == 0) {
+       printf("-1\n");
+       fflush(stdout);
+       _exit(PAM_AUTHINFO_UNAVAIL);
+       }
+     }
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index d391973f95..69811048e6 100644
+--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
+@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+                _exit(PAM_AUTHINFO_UNAVAIL);
+        }
+-       if (geteuid() == 0) {
+-          /* must set the real uid to 0 so the helper will not error
+-            out if pam is called from setuid binary (su, sudo...) */
+-         if (setuid(0) == -1) {
+-             D(("setuid failed"));
+-            _exit(PAM_AUTHINFO_UNAVAIL);
+-          }
+       /* must set the real uid to 0 so the helper will not error
+          out if pam is called from setuid binary (su, sudo...) */
+       if (setuid(0) == -1) {
+          D(("setuid failed"));
+          if (geteuid() == 0) {
+             _exit(PAM_AUTHINFO_UNAVAIL);
+          }
+        }
+        /* exec binary helper */
diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb
index 05fe232f6a..567f9741cb 100644
--- a/meta/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta/recipes-extended/pam/libpam_1.5.2.bb
@@ -27,7 +27,8 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
           file://CVE-2022-28321-0002.patch \
           file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
           file://CVE-2024-22365.patch \
-           file://CVE-2024-10041.patch \
+           file://CVE-2024-10041-1.patch \
+           file://CVE-2024-10041-2.patch \
           "
 SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"

diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch index cb0490299b..cb0490299b 100644 --- a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch


diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch new file mode 100644 index 0000000000..6070a26266 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch
@@ -0,0 +1,77 @@
		1	From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Wed, 24 Jan 2024 18:57:42 +0100
		4	Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
		5
		6	The geteuid check does not cover all cases. If a program runs with
		7	elevated capabilities like CAP_SETUID then we can still check
		8	credentials of other users.
		9
		10	Keep logging for future analysis though.
		11
		12	Resolves: https://github.com/linux-pam/linux-pam/issues/747
		13	Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
		14
		15	Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
		16
		17	Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
		18	CVE: CVE-2024-10041
		19	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		20	---
		21	modules/pam_unix/pam_unix_acct.c \| 17 +++++++++--------
		22	modules/pam_unix/support.c \| 14 +++++++-------
		23	2 files changed, 16 insertions(+), 15 deletions(-)
		24
		25	diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
		26	index 8f5ed3e0df..7ffcb9e3f2 100644
		27	--- a/modules/pam_unix/pam_unix_acct.c
		28	+++ b/modules/pam_unix/pam_unix_acct.c
		29	@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
		30	_exit(PAM_AUTHINFO_UNAVAIL);
		31	}
		32
		33	- if (geteuid() == 0) {
		34	- /* must set the real uid to 0 so the helper will not error
		35	- out if pam is called from setuid binary (su, sudo...) */
		36	- if (setuid(0) == -1) {
		37	- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
		38	- printf("-1\n");
		39	- fflush(stdout);
		40	- _exit(PAM_AUTHINFO_UNAVAIL);
		41	+ /* must set the real uid to 0 so the helper will not error
		42	+ out if pam is called from setuid binary (su, sudo...) */
		43	+ if (setuid(0) == -1) {
		44	+ uid_t euid = geteuid();
		45	+ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
		46	+ if (euid == 0) {
		47	+ printf("-1\n");
		48	+ fflush(stdout);
		49	+ _exit(PAM_AUTHINFO_UNAVAIL);
		50	}
		51	}
		52
		53	diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
		54	index d391973f95..69811048e6 100644
		55	--- a/modules/pam_unix/support.c
		56	+++ b/modules/pam_unix/support.c
		57	@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,
		58	_exit(PAM_AUTHINFO_UNAVAIL);
		59	}
		60
		61	- if (geteuid() == 0) {
		62	- /* must set the real uid to 0 so the helper will not error
		63	- out if pam is called from setuid binary (su, sudo...) */
		64	- if (setuid(0) == -1) {
		65	- D(("setuid failed"));
		66	- _exit(PAM_AUTHINFO_UNAVAIL);
		67	- }
		68	+ /* must set the real uid to 0 so the helper will not error
		69	+ out if pam is called from setuid binary (su, sudo...) */
		70	+ if (setuid(0) == -1) {
		71	+ D(("setuid failed"));
		72	+ if (geteuid() == 0) {
		73	+ _exit(PAM_AUTHINFO_UNAVAIL);
		74	+ }
		75	}
		76
		77	/* exec binary helper */


diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb index 05fe232f6a..567f9741cb 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.2.bb
@@ -27,7 +27,8 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
27	file://CVE-2022-28321-0002.patch \	27	file://CVE-2022-28321-0002.patch \
28	file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \	28	file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
29	file://CVE-2024-22365.patch \	29	file://CVE-2024-22365.patch \
30	file://CVE-2024-10041.patch \	30	file://CVE-2024-10041-1.patch \
		31	file://CVE-2024-10041-2.patch \
31	"	32	"
32		33
33	SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"	34	SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"