packages/pam
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2024-22365

Browse Source
This commit is contained in:
zhangruifang2020 2024-01-24 10:39:08 +08:00
parent ed6fda24f9
commit ef131bca4c
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch Normal file
View File

@ -0,0 +1,58 @@
From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 27 Dec 2023 14:01:59 +0100
Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
local DoS situations
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
being placed in user controlled directories, causing the PAM module to
block indefinitely during `openat()`.
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
refer to a directory.
With this the check whether the final path element is a directory
becomes unnecessary, drop it.
---
modules/pam_namespace/pam_namespace.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 2528cff8..f72d6718 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
int dfd = AT_FDCWD;
int dfd_next;
int save_errno;
- int flags = O_RDONLY;
+ int flags = O_RDONLY | O_DIRECTORY;
int rv = -1;
struct stat st;
@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
rv = openat(dfd, dir, flags);
}
- if (rv != -1) {
- if (fstat(rv, &st) != 0) {
- save_errno = errno;
- close(rv);
- rv = -1;
- errno = save_errno;
- goto error;
- }
- if (!S_ISDIR(st.st_mode)) {
- close(rv);
- errno = ENOTDIR;
- rv = -1;
- goto error;
- }
- }
-
if (flags & O_NOFOLLOW) {
/* we are inside user-owned dir - protect */
if (protect_mount(rv, p, idata) == -1) {
--
2.33.0

6
pam.spec
View File

@ -4,7 +4,7 @@
%define _pamconfdir %{_sysconfdir}/pam.d
Name: pam
Version: 1.4.0
Release: 10
Release: 11
Summary: Pluggable Authentication Modules for Linux
License: BSD and GPLv2+
URL: http://www.linux-pam.org/
@ -28,6 +28,7 @@ Patch4: pam_faillock-fix-build-on-musl.patch
Patch5: pam_modutil_check_user_in_passwd-avoid-timing-attack.patch
Patch6: Prevent-SEGFAULT-for-unknown-UID.patch
Patch7: change-ndbm-to-gdbm.patch
Patch8: backport-CVE-2024-22365-pam_namespace-protect_dir-use-O_DIRECTORY-to-prevent.patch
Patch6000: backport-Move-read_passwords-function-from-pam_unix-to-pam_inline.h.patch
Patch6001: backport-add-helper-to-handle-SELinux.patch
Patch6002: zh_CN_po_fix_str_meaning_error.patch
@ -186,6 +187,9 @@ fi
%changelog
* Wed Jan 24 2024 zhangruifang <zhangruifang1@h-partners.com> - 1.4.0-11
- fix CVE-2024-22365
* Thu Mar 09 2023 wangyu <wangyu283@huawei.com> - 1.4.0-10
- revert: bugfix with cannot open database file