Bug 32746 - pam new security issue CVE-2024-22365
Summary: pam new security issue CVE-2024-22365
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-01-19 11:48 CET by Nicolas Salguero
Modified: 2024-02-09 02:35 CET (History)
6 users (show)

See Also:
Source RPM: pam-1.5.2-5.mga9.src.rpm
CVE: CVE-2024-22365
Status comment:

Attachments
excerpts from journal (2.25 KB, text/plain)
2024-01-29 21:52 CET, Ulrich Beckmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-01-19 11:48:12 CET 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/01/18/3

It is fixed in version 1.6.0:
https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
It is fixed by this commit:
https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb

Mageia 9 is also affected.
Nicolas Salguero 2024-01-19 11:48:57 CET

Source RPM: (none) => pam-1.5.2-5.mga9.src.rpm
CVE: (none) => CVE-2024-22365
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-01-22 11:44:15 CET 
No obvious packager for pam, so assigning globally.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => fixed in version 1.6.0, also by a patch

Comment 2 Nicolas Salguero 2024-01-26 15:23:07 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations. (CVE-2024-22365)

References:
https://www.openwall.com/lists/oss-security/2024/01/18/3
========================

Updated packages in core/updates_testing:
========================
lib(64)pam0-1.5.2-5.1.mga9
lib(64)pam-devel-1.5.2-5.1.mga9
pam-1.5.2-5.1.mga9
pam-doc-1.5.2-5.1.mga9

from SRPM:
pam-1.5.2-5.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Status comment: fixed in version 1.6.0, also by a patch => (none)
Version: Cauldron => 9

PC LX 2024-01-26 19:02:06 CET

CC: (none) => mageia

Comment 3 katnatek 2024-01-28 01:58:54 CET 
Tested in real hardware Mageia 9 x86_64

Update without issues

Between the outputof urpmq --whatrequires lib64pam0 is

kwallet-pam

So I test start session with nheko , not issues detected
Comment 4 katnatek 2024-01-28 02:07:07 CET 
Between the output of urpmq --whatrequires lib64pam0 is polkit, I start MCC, it ask for root password , type and press enter, not issues detected, same hardware as comment#3
Comment 5 Marja Van Waes 2024-01-29 10:39:38 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 6 Ulrich Beckmann 2024-01-29 21:52:15 CET 
Created attachment 14318 [details]
excerpts from journal

Tested with KDE Plasma amd64 on real hardware (autoboot) and
Gnome amd64 in a virtual machine.

No regression found.

NB 
The error message "gdm-password][17988]: gkr-pam: unable to locate daemon control file" is also found earlier. No regression.

Ulrich

CC: (none) => bequimao.de

Comment 7 Ulrich Beckmann 2024-02-05 17:42:39 CET 
Set to ok.

Ulrich

Whiteboard: (none) => MGA9-64-OK

Comment 8 Morgan Leijström 2024-02-06 01:14:23 CET 
mga9-64 with SDDM and Plasma OK

CC: (none) => fri

Comment 9 Thomas Andrews 2024-02-06 22:14:08 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2024-02-09 02:35:35 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0030.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.