diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch similarity index 100% rename from meta/recipes-extended/pam/libpam/CVE-2024-10041.patch rename to meta/recipes-extended/pam/libpam/CVE-2024-10041-1.patch diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch new file mode 100644 index 0000000000..6070a26266 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041-2.patch @@ -0,0 +1,77 @@ +From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Wed, 24 Jan 2024 18:57:42 +0100 +Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd + +The geteuid check does not cover all cases. If a program runs with +elevated capabilities like CAP_SETUID then we can still check +credentials of other users. + +Keep logging for future analysis though. + +Resolves: https://github.com/linux-pam/linux-pam/issues/747 +Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries") + +Signed-off-by: Tobias Stoeckmann + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620] +CVE: CVE-2024-10041 +Signed-off-by: Shubham Kulkarni +--- + modules/pam_unix/pam_unix_acct.c | 17 +++++++++-------- + modules/pam_unix/support.c | 14 +++++++------- + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c +index 8f5ed3e0df..7ffcb9e3f2 100644 +--- a/modules/pam_unix/pam_unix_acct.c ++++ b/modules/pam_unix/pam_unix_acct.c +@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl, + _exit(PAM_AUTHINFO_UNAVAIL); + } + +- if (geteuid() == 0) { +- /* must set the real uid to 0 so the helper will not error +- out if pam is called from setuid binary (su, sudo...) */ +- if (setuid(0) == -1) { +- pam_syslog(pamh, LOG_ERR, "setuid failed: %m"); +- printf("-1\n"); +- fflush(stdout); +- _exit(PAM_AUTHINFO_UNAVAIL); ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ uid_t euid = geteuid(); ++ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m"); ++ if (euid == 0) { ++ printf("-1\n"); ++ fflush(stdout); ++ _exit(PAM_AUTHINFO_UNAVAIL); + } + } + +diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c +index d391973f95..69811048e6 100644 +--- a/modules/pam_unix/support.c ++++ b/modules/pam_unix/support.c +@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + _exit(PAM_AUTHINFO_UNAVAIL); + } + +- if (geteuid() == 0) { +- /* must set the real uid to 0 so the helper will not error +- out if pam is called from setuid binary (su, sudo...) */ +- if (setuid(0) == -1) { +- D(("setuid failed")); +- _exit(PAM_AUTHINFO_UNAVAIL); +- } ++ /* must set the real uid to 0 so the helper will not error ++ out if pam is called from setuid binary (su, sudo...) */ ++ if (setuid(0) == -1) { ++ D(("setuid failed")); ++ if (geteuid() == 0) { ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } + } + + /* exec binary helper */ diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb index 05fe232f6a..567f9741cb 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.2.bb @@ -27,7 +27,8 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux file://CVE-2022-28321-0002.patch \ file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \ file://CVE-2024-22365.patch \ - file://CVE-2024-10041.patch \ + file://CVE-2024-10041-1.patch \ + file://CVE-2024-10041-2.patch \ " SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"