Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

update: pam

Open dongsupark opened this issue 1 year ago • 7 comments

Name: pam CVEs: CVE-2024-22365, CVE-2024-10041, CVE-2024-10963, CVE-2025-6020 CVSSs: 5.5, 4.7, 7.4, 7.8 Action Needed: update to >= 1.7.1

Summary:

  • CVE-2024-22365: linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.
  • CVE-2024-10041: The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. (NOTE: Enforced SELinux can mitigate the issue)
  • CVE-2024-10963: A vulnerability was found in pam_access due to the improper handling of tokens in access.conf, interpreted as hostnames. This flaw allows attackers to bypass access restrictions by spoofing hostnames, undermining configurations designed to limit access to specific TTYs or services. The flaw poses a risk in environments relying on these configurations for local access control.
    • https://bugzilla.redhat.com/show_bug.cgi?id=2324291
  • CVE-2025-6020: A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

refmap.gentoo:

  • CVE-2024-22365: https://bugs.gentoo.org/922397
  • CVE-2024-10041: https://bugs.gentoo.org/942075
  • CVE-2024-10963: TBD
  • CVE-2025-6020: https://bugs.gentoo.org/958320

dongsupark avatar Feb 07 '24 15:02 dongsupark

Added CVE-2024-10041 (https://bugs.gentoo.org/942075)

tormath1 avatar Oct 24 '24 13:10 tormath1

Added CVE-2024-10963

dongsupark avatar Nov 08 '24 09:11 dongsupark

Is there something blocking this or do we just need to get around to it? It's a forked package, so I could look at switching to upstream.

chewi avatar Mar 03 '25 14:03 chewi

It would be worth verifying if the fork is still needed, please see README. If not needed, of course we can switch to upstream.

dongsupark avatar Mar 03 '25 15:03 dongsupark

Added CVE-2025-6020

dongsupark avatar Jun 23 '25 08:06 dongsupark

Added CVE-2025-6020

Looks quite serious. Flatcar doesn't have pam_namespace enabled by default, but it is included.

I did look at bumping this but got sidetracked with moving it into portage-stable and reconciling some of the differences with Gentoo. Let me know if you want to do a simpler bump in the meantime.

chewi avatar Jun 23 '25 09:06 chewi

Let me know if you want to do a simpler bump in the meantime.

Yeah, it looks like a good idea to do a simpler bump for the July release. Anyway no need to rush, as we would have at least 4 weeks from now on. We also have a bunch of other CVEs to be resolved, pending in weekly updates.

dongsupark avatar Jun 23 '25 09:06 dongsupark

Done in https://github.com/flatcar/scripts/pull/1706.

dongsupark avatar Nov 14 '25 11:11 dongsupark