diff options
| author | Sam Hartman <hartmans@debian.org> | 2024-02-02 11:41:09 -0700 |
|---|---|---|
| committer | Sam Hartman <hartmans@debian.org> | 2024-02-02 11:41:09 -0700 |
| commit | 8f9a41d1e50ac0a422d303a50e4d8bc25333c337 (patch) | |
| tree | 94f1932315e8917b8c4aa5693f60b42f30cf88c1 | |
| parent | b44cdcf5daef4d51e3d755b0e2322dc1228204bf (diff) | |
pam_namespace_o_directory
| -rw-r--r-- | debian/patches/pam_namespace_o_directory | 58 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/debian/patches/pam_namespace_o_directory b/debian/patches/pam_namespace_o_directory new file mode 100644 index 00000000..f8838223 --- /dev/null +++ b/debian/patches/pam_namespace_o_directory @@ -0,0 +1,58 @@ +From: Sam Hartman <hartmans@debian.org> +Date: Fri, 2 Feb 2024 11:38:09 -0700 +Subject: From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Wed, + 27 Dec 2023 14:01:59 +0100 Subject: pam_namespace: protect_dir(): use + O_DIRECTORY to prevent local DoS situations Origin: + https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb + Bug-Debian: https://bugs.debian.org/1061097 Bug-Debian-Security: + https://security-tracker.debian.org/tracker/CVE-2024-22365 + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index f34ce93..ef85644 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1194,7 +1194,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1248,22 +1248,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { diff --git a/debian/patches/series b/debian/patches/series index 8f2a05e1..dd734f94 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,3 +19,4 @@ no_PATH_MAX_on_hurd fix-autoreconf.patch nullok_secure-compat.patch pam_mkhomedir_stat_before_opendir +pam_namespace_o_directory |