From 094c0a90129215ad358bfca9f82a31d6c3672447 Mon Sep 17 00:00:00 2001 From: Pawel Winogrodzki Date: Wed, 30 Oct 2024 15:18:24 -0700 Subject: [PATCH] Patched CVE-2024-22365 in `pam`. (CP: #8320) (#10892) Co-authored-by: Saul Paredes <30801614+Redent0r@users.noreply.github.com> Co-authored-by: jslobodzian (cherry picked from commit 9bb8d61e0b49ee2784ec80bc58087daa3f626cae) --- SPECS/pam/CVE-2024-22365.patch | 55 +++++++++++++++++++ SPECS/pam/pam.spec | 9 ++- .../manifests/package/toolchain_aarch64.txt | 8 +-- .../manifests/package/toolchain_x86_64.txt | 8 +-- 4 files changed, 70 insertions(+), 10 deletions(-) create mode 100644 SPECS/pam/CVE-2024-22365.patch diff --git a/SPECS/pam/CVE-2024-22365.patch b/SPECS/pam/CVE-2024-22365.patch new file mode 100644 index 00000000000..7811013728a --- /dev/null +++ b/SPECS/pam/CVE-2024-22365.patch @@ -0,0 +1,55 @@ +From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent + local DoS situations + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86..f72d67189 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { diff --git a/SPECS/pam/pam.spec b/SPECS/pam/pam.spec index 523ec8b6213..18cb42a6858 100644 --- a/SPECS/pam/pam.spec +++ b/SPECS/pam/pam.spec @@ -1,7 +1,7 @@ Summary: Linux Pluggable Authentication Modules Name: pam Version: 1.5.3 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD and GPLv2+ URL: https://github.com/linux-pam/linux-pam Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz @@ -15,6 +15,8 @@ BuildRequires: audit-devel Requires: audit-libs Recommends: cracklib-dicts +Patch0: CVE-2024-22365.patch + %description The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users. @@ -37,7 +39,7 @@ This package contains libraries, header files and documentation for developing applications that use pam. %prep -%autosetup -n Linux-PAM-%{version} +%autosetup -n Linux-PAM-%{version} -p1 %build ./configure \ @@ -102,6 +104,9 @@ EOF %{_libdir}/pkgconfig/pamc.pc %changelog +* Wed Oct 30 2024 Pawel Winogrodzki - 1.5.3-2 +- Patching CVE-2024-22365. + * Tue Nov 21 2023 CBL-Mariner Servicing Account - 1.5.3-1 - Auto-upgrade to 1.5.3 - Azure Linux 3.0 - package upgrades diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index f61ef0df06a..4385a3a1219 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -296,10 +296,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm p11-kit-devel-0.25.0-1.azl3.aarch64.rpm p11-kit-server-0.25.0-1.azl3.aarch64.rpm p11-kit-trust-0.25.0-1.azl3.aarch64.rpm -pam-1.5.3-1.azl3.aarch64.rpm -pam-debuginfo-1.5.3-1.azl3.aarch64.rpm -pam-devel-1.5.3-1.azl3.aarch64.rpm -pam-lang-1.5.3-1.azl3.aarch64.rpm +pam-1.5.3-2.azl3.aarch64.rpm +pam-debuginfo-1.5.3-2.azl3.aarch64.rpm +pam-devel-1.5.3-2.azl3.aarch64.rpm +pam-lang-1.5.3-2.azl3.aarch64.rpm patch-2.7.6-9.azl3.aarch64.rpm patch-debuginfo-2.7.6-9.azl3.aarch64.rpm pcre2-10.42-3.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 2f539153db4..2f597cdc566 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -302,10 +302,10 @@ p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm p11-kit-devel-0.25.0-1.azl3.x86_64.rpm p11-kit-server-0.25.0-1.azl3.x86_64.rpm p11-kit-trust-0.25.0-1.azl3.x86_64.rpm -pam-1.5.3-1.azl3.x86_64.rpm -pam-debuginfo-1.5.3-1.azl3.x86_64.rpm -pam-devel-1.5.3-1.azl3.x86_64.rpm -pam-lang-1.5.3-1.azl3.x86_64.rpm +pam-1.5.3-2.azl3.x86_64.rpm +pam-debuginfo-1.5.3-2.azl3.x86_64.rpm +pam-devel-1.5.3-2.azl3.x86_64.rpm +pam-lang-1.5.3-2.azl3.x86_64.rpm patch-2.7.6-9.azl3.x86_64.rpm patch-debuginfo-2.7.6-9.azl3.x86_64.rpm pcre2-10.42-3.azl3.x86_64.rpm