That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/01/18/3 It is fixed in version 1.6.0: https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0 It is fixed by this commit: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb Mageia 9 is also affected.
Source RPM: (none) => pam-1.5.2-5.mga9.src.rpmCVE: (none) => CVE-2024-22365Whiteboard: (none) => MGA9TOO
No obvious packager for pam, so assigning globally.
Assignee: bugsquad => pkg-bugsStatus comment: (none) => fixed in version 1.6.0, also by a patch
Suggested advisory: ======================== The updated packages fix a security vulnerability: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations. (CVE-2024-22365) References: https://www.openwall.com/lists/oss-security/2024/01/18/3 ======================== Updated packages in core/updates_testing: ======================== lib(64)pam0-1.5.2-5.1.mga9 lib(64)pam-devel-1.5.2-5.1.mga9 pam-1.5.2-5.1.mga9 pam-doc-1.5.2-5.1.mga9 from SRPM: pam-1.5.2-5.1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Status comment: fixed in version 1.6.0, also by a patch => (none)Version: Cauldron => 9
CC: (none) => mageia
Tested in real hardware Mageia 9 x86_64 Update without issues Between the outputof urpmq --whatrequires lib64pam0 is kwallet-pam So I test start session with nheko , not issues detected
Between the output of urpmq --whatrequires lib64pam0 is polkit, I start MCC, it ask for root password , type and press enter, not issues detected, same hardware as comment#3
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisoryCC: (none) => marja11
Created attachment 14318 [details] excerpts from journal Tested with KDE Plasma amd64 on real hardware (autoboot) and Gnome amd64 in a virtual machine. No regression found. NB The error message "gdm-password][17988]: gkr-pam: unable to locate daemon control file" is also found earlier. No regression. Ulrich
CC: (none) => bequimao.de
Set to ok. Ulrich
Whiteboard: (none) => MGA9-64-OK
mga9-64 with SDDM and Plasma OK
CC: (none) => fri
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0030.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED