From 6cc316c44d773a7f12aa022008d3c4e3ddd8c83e Mon Sep 17 00:00:00 2001 From: Shubham Kulkarni Date: Wed, 23 Apr 2025 14:13:43 +0530 Subject: libpam: Update fix for CVE-2024-10041 Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da. But not all cases were covered with this fix and issues were reported after the release. In the v1.6.1 release, PAM community fixed these issues via commit b7b9636. Backport this commit b7b9636, which Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries") Backport from https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620 (From OE-Core rev: 71035c8c5907f7103ce40b92490a10bd3dde7226) Signed-off-by: Shubham Kulkarni Signed-off-by: Steve Sakoman --- .../pam/libpam/CVE-2024-10041-1.patch | 98 ++++++++++++++++++++++ .../pam/libpam/CVE-2024-10041-2.patch | 77 +++++++++++++++++ .../pam/libpam/CVE-2024-10041.patch | 98 ---------------------- meta/recipes-extended/pam/libpam_1.5.2.bb | 3 +- 4 files changed, 177 insertions(+), 99 deletions(-) create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch delete mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041.patch (limited to 'meta') diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch new file mode 100644 index 0000000000..cb0490299b --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch @@ -0,0 +1,98 @@ +From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Mon, 1 Jan 2024 12:00:00 +0000 +Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow + password file entries + +Initially, when pam_unix.so verified the password, it used to try to +obtain the shadow password file entry for the given user by invoking +getspnam(3), and only when that didn't work and the effective uid +was nonzero, pam_unix.so used to invoke the helper as a fallback. + +When SELinux support was introduced by commit +67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended +also for the case when SELinux was enabled. + +Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the +fallback conditions for the case when pam_modutil_getspnam() failed +with EACCES. + +Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is +invoked as a fallback when pam_modutil_getspnam() fails for any reason. + +The ultimate solution for the case when pam_unix.so does not have +permissions to obtain the shadow password file entry is to stop trying +to use pam_modutil_getspnam() and to invoke the helper instead. +Here are two recent examples. + +https://github.com/linux-pam/linux-pam/pull/484 describes a system +configuration where libnss_systemd is enabled along with libnss_files +in the shadow entry of nsswitch.conf, so when libnss_files is unable +to obtain the shadow password file entry for the root user, e.g. when +SELinux is enabled, NSS falls back to libnss_systemd which returns +a synthesized shadow password file entry for the root user, which +in turn locks the root user out. + +https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes +essentially the same problem in a similar system configuration. + +This commit is the final step in the direction of addressing the issue: +for password verification pam_unix.so now invokes the helper instead of +making the pam_modutil_getspnam() call. + +* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: +Always return PAM_UNIX_RUN_HELPER instead of trying to obtain +the shadow password file entry. + +Complements: https://github.com/linux-pam/linux-pam/pull/386 +Resolves: https://github.com/linux-pam/linux-pam/pull/484 +Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92 + +CVE: CVE-2024-10041 + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be] + +Signed-off-by: Divya Chellam +--- + modules/pam_unix/passverify.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index f2474a5..b300522 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -237,20 +237,21 @@ PAMH_ARG_DECL(int get_account_info, + return PAM_UNIX_RUN_HELPER; + #endif + } else if (is_pwd_shadowed(*pwd)) { ++#ifdef HELPER_COMPILE + /* +- * ...and shadow password file entry for this user, ++ * shadow password file entry for this user, + * if shadowing is enabled + */ +- *spwdent = pam_modutil_getspnam(pamh, name); +- if (*spwdent == NULL) { +-#ifndef HELPER_COMPILE +- /* still a chance the user can authenticate */ +- return PAM_UNIX_RUN_HELPER; +-#endif +- return PAM_AUTHINFO_UNAVAIL; +- } +- if ((*spwdent)->sp_pwdp == NULL) ++ *spwdent = getspnam(name); ++ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; ++#else ++ /* ++ * The helper has to be invoked to deal with ++ * the shadow password file entry. ++ */ ++ return PAM_UNIX_RUN_HELPER; ++#endif + } + } else { + return PAM_USER_UNKNOWN; +-- +2.40.0 + diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch new file mode 100644 index 0000000000..6070a26266 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch @@ -0,0 +1,77 @@ +From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Wed, 24 Jan 2024 18:57:42 +0100 +Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd + +The geteuid check does not cover all cases. If a program runs with +elevated capabilities like CAP_SETUID then we can still check +credentials of other users. + +Keep logging for future analysis though. + +Resolves: https://github.com/linux-pam/linux-pam/issues/747 +Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries") + +Signed-off-by: Tobias Stoeckmann + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620] +CVE: CVE-2024-10041 +Signed-off-by: Shubham Kulkarni +--- + modules/pam_unix/pam_unix_acct.c | 17 +++++++++-------- + modules/pam_unix/support.c | 14 +++++++------- + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c +index 8f5ed3e0df..7ffcb9e3f2 100644 +--- a/modules/pam_unix/pam_unix_acct.c ++++ b/modules/pam_unix/pam_unix_acct.c +@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl, + _exit(PAM_AUTHINFO_UNAVAIL); + } + +- if (geteuid() == 0) { +- /* must set the real uid to 0 so the helper will not error +- out if pam is called from setuid binary (su, sudo...) */ +- if (setuid(0) == -1) { +- pam_syslog(pamh, LOG_ERR, "setuid failed: %m"); +- printf("-1\n"); +- fflush(stdout); +- _exit(PAM_AUTHINFO_UNAVAIL); ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ uid_t euid = geteuid(); ++ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m"); ++ if (euid == 0) { ++ printf("-1\n"); ++ fflush(stdout); ++ _exit(PAM_AUTHINFO_UNAVAIL); + } + } + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index d391973f95..69811048e6 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + _exit(PAM_AUTHINFO_UNAVAIL); + } + +- if (geteuid() == 0) { +- /* must set the real uid to 0 so the helper will not error +- out if pam is called from setuid binary (su, sudo...) */ +- if (setuid(0) == -1) { +- D(("setuid failed")); +- _exit(PAM_AUTHINFO_UNAVAIL); +- } ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ D(("setuid failed")); ++ if (geteuid() == 0) { ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } + } + + /* exec binary helper */ diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch deleted file mode 100644 index cb0490299b..0000000000 --- a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch +++ /dev/null @@ -1,98 +0,0 @@ -From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Mon, 1 Jan 2024 12:00:00 +0000 -Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow - password file entries - -Initially, when pam_unix.so verified the password, it used to try to -obtain the shadow password file entry for the given user by invoking -getspnam(3), and only when that didn't work and the effective uid -was nonzero, pam_unix.so used to invoke the helper as a fallback. - -When SELinux support was introduced by commit -67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended -also for the case when SELinux was enabled. - -Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the -fallback conditions for the case when pam_modutil_getspnam() failed -with EACCES. - -Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is -invoked as a fallback when pam_modutil_getspnam() fails for any reason. - -The ultimate solution for the case when pam_unix.so does not have -permissions to obtain the shadow password file entry is to stop trying -to use pam_modutil_getspnam() and to invoke the helper instead. -Here are two recent examples. - -https://github.com/linux-pam/linux-pam/pull/484 describes a system -configuration where libnss_systemd is enabled along with libnss_files -in the shadow entry of nsswitch.conf, so when libnss_files is unable -to obtain the shadow password file entry for the root user, e.g. when -SELinux is enabled, NSS falls back to libnss_systemd which returns -a synthesized shadow password file entry for the root user, which -in turn locks the root user out. - -https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes -essentially the same problem in a similar system configuration. - -This commit is the final step in the direction of addressing the issue: -for password verification pam_unix.so now invokes the helper instead of -making the pam_modutil_getspnam() call. - -* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: -Always return PAM_UNIX_RUN_HELPER instead of trying to obtain -the shadow password file entry. - -Complements: https://github.com/linux-pam/linux-pam/pull/386 -Resolves: https://github.com/linux-pam/linux-pam/pull/484 -Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92 - -CVE: CVE-2024-10041 - -Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be] - -Signed-off-by: Divya Chellam ---- - modules/pam_unix/passverify.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index f2474a5..b300522 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -237,20 +237,21 @@ PAMH_ARG_DECL(int get_account_info, - return PAM_UNIX_RUN_HELPER; - #endif - } else if (is_pwd_shadowed(*pwd)) { -+#ifdef HELPER_COMPILE - /* -- * ...and shadow password file entry for this user, -+ * shadow password file entry for this user, - * if shadowing is enabled - */ -- *spwdent = pam_modutil_getspnam(pamh, name); -- if (*spwdent == NULL) { --#ifndef HELPER_COMPILE -- /* still a chance the user can authenticate */ -- return PAM_UNIX_RUN_HELPER; --#endif -- return PAM_AUTHINFO_UNAVAIL; -- } -- if ((*spwdent)->sp_pwdp == NULL) -+ *spwdent = getspnam(name); -+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) - return PAM_AUTHINFO_UNAVAIL; -+#else -+ /* -+ * The helper has to be invoked to deal with -+ * the shadow password file entry. -+ */ -+ return PAM_UNIX_RUN_HELPER; -+#endif - } - } else { - return PAM_USER_UNKNOWN; --- -2.40.0 - diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb index 05fe232f6a..567f9741cb 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.2.bb @@ -27,7 +27,8 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux file://CVE-2022-28321-0002.patch \ file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \ file://CVE-2024-22365.patch \ - file://CVE-2024-10041.patch \ + file://CVE-2024-10041-1.patch \ + file://CVE-2024-10041-2.patch \ " SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d" -- cgit v1.2.3-54-g00ecf