Bug 22006 - libpam4j new security issue CVE-2017-12197
Summary: libpam4j new security issue CVE-2017-12197
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-10 14:41 CET by David Walser
Modified: 2018-05-16 10:26 CEST (History)
4 users (show)

See Also:
Source RPM: libpam4j-1.8-7.mga6.src.rpm
CVE:
Status comment: Proposed patches available from Debian, RedHat, and github


Attachments

Description David Walser 2017-11-10 14:41:52 CET
Debian has issued an advisory on November 8:
https://www.debian.org/security/2017/dsa-4025

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-11-10 14:42:13 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-12-27 05:10:06 CET
We won't be fixing this type of package for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

Comment 2 David Walser 2018-02-02 18:22:00 CET
Debian pointed out in their bug that RedHat patched to fix this too.

Both fixes are based on a suggested patch on github linked from here:
https://security-tracker.debian.org/tracker/CVE-2017-12197

Status comment: (none) => Proposed patches available from Debian, RedHat, and github

Comment 3 Mike Rambo 2018-04-29 01:30:08 CEST
Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libpam4j package fixes security vulnerability:

It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pam_acct_mgmt() during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in (CVE-2017-11721).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197
https://www.debian.org/security/2017/dsa-4025
========================

Updated packages in core/updates_testing:
========================
libpam4j-1.8-7.1.mga6.noarch.rpm
libpam4j-javadoc-1.8-7.1.mga6.noarch.rpm

from libpam4j-1.8-7.1.mga6.src.rpm

Assignee: mageia => qa-bugs
Version: Cauldron => 6
CC: (none) => mrambo
Whiteboard: MGA6TOO => (none)

Comment 4 Mike Rambo 2018-04-29 02:12:54 CEST
(sorry - messed up the advisory - had wrong CVE in one place)

Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libpam4j package fixes security vulnerability:

It was discovered that libpam4j, a Java library wrapper for the integration of PAM did not call pam_acct_mgmt() during authentication. As such a user who has a valid password, but a deactivated or disabled account could still log in (CVE-2017-12197).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197
https://www.debian.org/security/2017/dsa-4025
========================

Updated packages in core/updates_testing:
========================
libpam4j-1.8-7.1.mga6.noarch.rpm
libpam4j-javadoc-1.8-7.1.mga6.noarch.rpm

from libpam4j-1.8-7.1.mga6.src.rpm
Comment 5 Lewis Smith 2018-04-29 21:48:04 CEST
This is curious:
 $ urpmq --whatrequires libpam4j
 $ urpmq --whatrequires-recursive libpam4j
 $ urpmq -l libpam4j | sort -u
/usr/share/doc/libpam4j
/usr/share/doc/libpam4j/README.md
/usr/share/java/libpam4j
/usr/share/java/libpam4j/libpam4j.jar
/usr/share/licenses/libpam4j
/usr/share/licenses/libpam4j/LICENSE
/usr/share/maven-metadata/libpam4j.xml
/usr/share/maven-poms/libpam4j
/usr/share/maven-poms/libpam4j/libpam4j.pom

Can we test this other than clean update? No previous updates for it.
Comment 6 David Walser 2018-04-29 22:23:13 CEST
Yeah for Java stuff like this, just test that it updates cleanly.
Comment 7 Herman Viaene 2018-05-12 11:27:53 CEST
MGA6-32 on Dell Latitude D600 MATE
No installation issues.
Clean install OK

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 Lewis Smith 2018-05-13 20:19:32 CEST
Test updating M6/64

Installed from current repos (note *no* lib64... here):
 libpam4j-javadoc-1.8-7.mga6.noarch.rpm
 libpam4j-1.8-7.mga6.noarch.rpm

From Updates Testing, updated via MCC-Update System to:
 libpam4j-1.8-7.1.mga6
 libpam4j-javadoc-1.8-7.1.mga6
No problems. OK.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-05-16 10:26:13 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.