Bug 32746

Summary: pam new security issue CVE-2024-22365
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bequimao.de, fri, mageia, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: pam-1.5.2-5.mga9.src.rpm CVE: CVE-2024-22365
Status comment:
Attachments: excerpts from journal

Description Nicolas Salguero 2024-01-19 11:48:12 CET 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/01/18/3

It is fixed in version 1.6.0:
https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
It is fixed by this commit:
https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb

Mageia 9 is also affected.
Nicolas Salguero 2024-01-19 11:48:57 CET

Source RPM: (none) => pam-1.5.2-5.mga9.src.rpm
CVE: (none) => CVE-2024-22365
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-01-22 11:44:15 CET 
No obvious packager for pam, so assigning globally.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => fixed in version 1.6.0, also by a patch

Comment 2 Nicolas Salguero 2024-01-26 15:23:07 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations. (CVE-2024-22365)

References:
https://www.openwall.com/lists/oss-security/2024/01/18/3
========================

Updated packages in core/updates_testing:
========================
lib(64)pam0-1.5.2-5.1.mga9
lib(64)pam-devel-1.5.2-5.1.mga9
pam-1.5.2-5.1.mga9
pam-doc-1.5.2-5.1.mga9

from SRPM:
pam-1.5.2-5.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Status comment: fixed in version 1.6.0, also by a patch => (none)
Version: Cauldron => 9

PC LX 2024-01-26 19:02:06 CET

CC: (none) => mageia

Comment 3 katnatek 2024-01-28 01:58:54 CET 
Tested in real hardware Mageia 9 x86_64

Update without issues

Between the outputof urpmq --whatrequires lib64pam0 is

kwallet-pam

So I test start session with nheko , not issues detected
Comment 4 katnatek 2024-01-28 02:07:07 CET 
Between the output of urpmq --whatrequires lib64pam0 is polkit, I start MCC, it ask for root password , type and press enter, not issues detected, same hardware as comment#3
Comment 5 Marja Van Waes 2024-01-29 10:39:38 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 6 Ulrich Beckmann 2024-01-29 21:52:15 CET 
Created attachment 14318 [details]
excerpts from journal

Tested with KDE Plasma amd64 on real hardware (autoboot) and
Gnome amd64 in a virtual machine.

No regression found.

NB 
The error message "gdm-password][17988]: gkr-pam: unable to locate daemon control file" is also found earlier. No regression.

Ulrich

CC: (none) => bequimao.de

Comment 7 Ulrich Beckmann 2024-02-05 17:42:39 CET 
Set to ok.

Ulrich

Whiteboard: (none) => MGA9-64-OK

Comment 8 Morgan Leijström 2024-02-06 01:14:23 CET 
mga9-64 with SDDM and Plasma OK

CC: (none) => fri

Comment 9 Thomas Andrews 2024-02-06 22:14:08 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2024-02-09 02:35:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0030.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED