Sync from SUSE:SLFO:Main pam_pkcs11 revision 02ddf1130cb41a568b110dd00e9a5c7a

pam_pkcs11-CVE-2025-24032.patch

@@ -0,0 +1,105 @@
+From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Fri, 6 Dec 2024 04:39:04 +0100
+Subject: [PATCH] fixed possible authentication bypass: Use signatures to
+ verify authentication by default
+
+If cert_policy is set to none (the default value), then pam_pkcs11 will
+only check if the user is capable of logging into the token. An attacker
+may create a different token with the user's public data (e.g. the
+user's certificate) and a PIN known to the attacker. If no signature
+with the private key is required, then the attacker may now login as
+user with that created token.
+
+This change, by default, uses the private key to crate a signature. A
+new policy, `no_signature` is introduced if the module should really
+*not* validate the key's signature
+---
+ src/common/cert_vfy.h       |  2 +-
+ src/pam_pkcs11/pam_config.c | 16 +++++++++++-----
+ src/pam_pkcs11/pam_pkcs11.c |  2 +-
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+Index: pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
+===================================================================
+--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/common/cert_vfy.h
++++ pam_pkcs11-pam_pkcs11-0.6.12/src/common/cert_vfy.h
+@@ -48,7 +48,7 @@ typedef enum {
+ struct cert_policy_st {
+ 	int ca_policy;
+ 	int crl_policy;
+-	int signature_policy;
++	int no_signature_policy;
+ 	const char *ca_dir;
+ 	const char *crl_dir;
+ 	const char *nss_dir;
+Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
+===================================================================
+--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_config.c
++++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_config.c
+@@ -87,7 +87,7 @@ static void display_config (void) {
+         DBG1("support_threads %d",configuration.support_threads);
+         DBG1("ca_policy %d",configuration.policy.ca_policy);
+         DBG1("crl_policy %d",configuration.policy.crl_policy);
+-        DBG1("signature_policy %d",configuration.policy.signature_policy);
++        DBG1("no_signature_policy %d",configuration.policy.no_signature_policy);
+         DBG1("ocsp_policy %d",configuration.policy.ocsp_policy);
+ 		DBG1("err_display_time %d", configuration.err_display_time);
+ }
+@@ -180,7 +180,7 @@ static void parse_config_file(void) {
+ 			configuration.policy.crl_policy=CRLP_NONE;
+ 			configuration.policy.ocsp_policy=OCSP_NONE;
+ 			configuration.policy.ca_policy=0;
+-			configuration.policy.signature_policy=0;
++			configuration.policy.no_signature_policy=0;
+ 			break;
+ 		} else if ( !strcmp(policy_list->data,"crl_auto") ) {
+ 			configuration.policy.crl_policy=CRLP_AUTO;
+@@ -193,7 +193,10 @@ static void parse_config_file(void) {
+ 		} else if ( !strcmp(policy_list->data,"ca") ) {
+ 			configuration.policy.ca_policy=1;
+ 		} else if ( !strcmp(policy_list->data,"signature") ) {
+-			configuration.policy.signature_policy=1;
++			// ignore this setting for legacy reasons
++		} else if ( !strcmp(policy_list->data,"no_signature") ) {
++			// ignore this setting for legacy reasons
++			configuration.policy.no_signature_policy=1;
+ 		} else {
+                    DBG1("Invalid CRL policy: %s",policy_list->data);
+ 	        }
+@@ -321,7 +324,7 @@ struct configuration_st *pk_configure( i
+ 		if (strstr(argv[i],"none")) {
+ 			configuration.policy.crl_policy=CRLP_NONE;
+ 			configuration.policy.ca_policy=0;
+-			configuration.policy.signature_policy=0;
++			configuration.policy.no_signature_policy=0;
+ 			configuration.policy.ocsp_policy=OCSP_NONE;
+ 		}
+ 		if (strstr(argv[i],"crl_online")) {
+@@ -340,7 +343,10 @@ struct configuration_st *pk_configure( i
+ 			configuration.policy.ca_policy=1;
+ 		}
+ 		if (strstr(argv[i],"signature")) {
+-			configuration.policy.signature_policy=1;
++			// ignore this setting for legacy reasons
++		}
++		if (strstr(argv[i],"no_signature")) {
++			configuration.policy.no_signature_policy=1;
+ 		}
+ 		continue;
+ 	   }
+Index: pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
+===================================================================
+--- pam_pkcs11-pam_pkcs11-0.6.12.orig/src/pam_pkcs11/pam_pkcs11.c
++++ pam_pkcs11-pam_pkcs11-0.6.12/src/pam_pkcs11/pam_pkcs11.c
+@@ -618,8 +618,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_h
+ 
+ 
+   /* if signature check is enforced, generate random data, sign and verify */
+-  if (configuration->policy.signature_policy) {
+-		pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
++  if (!configuration->policy.no_signature_policy) {
++  	pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
+ 
+ 
+ #ifdef notdef

pam_pkcs11.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb 19 13:50:20 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security update fix [bsc#1237062, CVE-2025-24032]
+  * Fix CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`)
+  * Add pam_pkcs11-CVE-2025-24032.patch
+
 -------------------------------------------------------------------
 Wed Feb  5 09:28:30 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
 

pam_pkcs11.spec

@@ -39,6 +39,8 @@ Patch4:         0001-Set-slot_num-configuration-parameter-to-0-by-default.patch
 Patch6:         0001-memory-leak-fixes.patch
 # PATCH-FIX-UPSTREAM: bsc#1236314 CVE-2025-24531 has a regression returning PAM_IGNORE in many situations with possible authentication bypass
 Patch7:         pam_pkcs11-CVE-2025-24531.patch
+# PATCH-FIX-UPSTREAM: bsc#1237062 CVE-2025-24032: vulnerable to authentication bypass with default value for `cert_policy` (`none`) 
+Patch8:         pam_pkcs11-CVE-2025-24032.patch
 BuildRequires:  curl-devel
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  doxygen
@@ -109,7 +111,6 @@ sed -i '/^HTML_TIMESTAMP/s/YES/NO/' doc/doxygen.conf.in
 # Generate documentation: This sounds like an upstream bug while making an upstream source tarball.
 %make_build dist
 
-
 %check
 %make_build check