CVE-2024-10041: vulnerable to read hashed password

- Make sure that the buffer containing encrypted passwords get's erased, before free. [pam_modutil_get-overwrite-password-at-free.patch, bsc#1232234, CVE-2024-10041] Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
2025-10-21 10:56:29 +02:00
8 changed files with 185 additions and 68 deletions
--- a/Linux-PAM-1.7.1.tar.xz
+++ b/Linux-PAM-1.7.1.tar.xz
--- a/Linux-PAM-1.7.1.tar.xz.asc
+++ b/Linux-PAM-1.7.1.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJoUTDGAAoJEKgEH6g54W42RDQQAIKq+ltEn0g/lB0g+xU9SArO
+ItMiZDp6RaLDIRgOxbl1hnQyXvXcW5LYBT36u+e5PLKrtMzc8/S3kDtn2FRsS5KW
+aZaKmZI6UlEQVErMfX2F8/uPvcMRNmqHL7h3+BW8aIWp+WTBO3TIOZxVqNoDFbxj
+L/9G3KYTgcuKjb6XoDlicS68ImcLJC2BPjcaisaoqKRyK504jgYK6Wl6AFo7Fu8r
+PS134LM6gUUxMzdYCpISmO5tZh+uOqtCfbdeOY3bwBeupe2J4D6v7uASF7RqEXPX
+/imsmUkmqLmOOolvLflGDsiz1HaY05LW7CcJngXOV6WKU+HqBg9E5Xclnr0RyvBD
+tmFPeWlgPw+zg+BVUhGAUeLoFCknbtY/7TEB4Jh0Z/Tm+pOUVoQbhrUCI0rAgapN
+dA9i5DCUuEBXRul2YvG7EZGuYs77fzpf/J++b9XKB9kH1Bc3vaaZoaO+lbN8g6Ei
+CbZCmD0ct0UhUTX+FEUG9SkMTomyd9ihz6kuHcuo4eCVbVuDJpF+vEUjVb7no9Aw
+KlZ6/I45GRRjIYYk/vxpgNX05D8xeMxDkXEMcKAHsI/q4oOe7Hsuess47WioiVXL
+xNl6AHjJ4VMcz1xLPR8COA8L3uaZNtxuIGhazZFeJbrfJct5gsf9iv04pdAA73/B
+NtgHrE6GjGSmw+/xX22z
+=RQhR
+-----END PGP SIGNATURE-----
--- a/Linux-PAM-1.7.2.tar.xz
+++ b/Linux-PAM-1.7.2.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:437a88182eab6168a39d00b08252741f9a5b7da9dc3fce93a6a806fbe826e5b6
-size 563824
--- a/15
+++ b/15
@@ -1,15 +0,0 @@
-<services>
-  <service name="tar_scm" mode="manual">
-    <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@</param>
-    <param name="versionrewrite-pattern">v(.*?)(\+git0)?$</param>
-    <param name="url">https://github.com/linux-pam/linux-pam.git</param>
-    <param name="scm">git</param>
-    <param name="changesgenerate">enable</param>
-    <param name="filename">Linux-PAM</param>
-  </service>
-  <service name="set_version" mode="manual"/>
-  <service name="recompress" mode="manual">
-    <param name="compression">xz</param>
-    <param name="file">*.tar</param>
-  </service>
-</services>
--- a/5
+++ b/5
@@ -1,5 +0,0 @@
-<servicedata>
-  <service name="tar_scm">
-    <param name="url">https://github.com/linux-pam/linux-pam.git</param>
- <param name="changesrevision">fe03a10115c082a8486ccbab7462139d7e4bb067</param></service>
-</servicedata>
--- a/pam.changes
+++ b/pam.changes
@@ -1,43 +1,3 @@
-------------------------------------------------------------------
-Thu Jan 22 13:09:25 UTC 2026 - Thorsten Kukuk <kukuk@suse.com>
-
- Update to version 1.7.2:
-  * build: enabled vendordir by default.
-  * pam_access: fixed stack overflow with huge configuration files.
-  * pam_env: enhanced error diagnostics when ignoring backslash at end of string.
-  * pam_faillock: skip clearing user's failed attempt when auth stack is not run.
-  * pam_mkhomedir: added support for vendordir skeleton directory.
-  * pam_unix: added support for pwaccessd.
-  * pam_unix: added support for PAM_CHANGE_EXPIRED_AUTHTOK.
-  * pam_unix: fixed password expiration warnings for large day values.
-  * pam_unix: hardened temporary file handling.
-  * Multiple minor bug fixes, build fixes, portability fixes, 
-    documentation improvements, and translation updates.
- Drop post-v1.7.1.patch
- Drop pam_mkhomedir-Use-vendordir-when-defined.patch
- Build source archive directly from git
-
-------------------------------------------------------------------
-Thu Dec 11 14:03:11 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
-
- Add pam_env.conf.d directory for configuration snippets, to support drop-in
-  configuration files for pam_env, following the modular configuration pattern
-  used in modern Linux distributions.
-  
-------------------------------------------------------------------
-Mon Sep 15 07:53:29 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
-
- pam_mkhomedir: building with vendordir option allows fetching skeleton
-  directory from the vendor directory when creating the user home directory.
-  [+ pam_mkhomedir-Use-vendordir-when-defined.patch, bsc#1245524]
-
-------------------------------------------------------------------
-Wed Aug 27 14:20:14 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
-
- Update to 1.7.1+git (post-v1.7.1.patch)
-  - disable unix_chkpwd by default, only used as fallback again
- pam_modutil_get-overwrite-password-at-free.patch is included
-
 -------------------------------------------------------------------
 Tue Aug 19 10:12:13 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>

--- a/pam.spec
+++ b/pam.spec
@@ -70,13 +70,14 @@
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.7.2
+Version:        1.7.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
 Group:          System/Libraries
 URL:            https://github.com/linux-pam/linux-pam
 Source:         Linux-PAM-%{version}.tar.xz
+Source1:        Linux-PAM-%{version}.tar.xz.asc
 Source2:        macros.pam
 Source3:        other.pamd
 Source4:        common-auth.pamd
@@ -92,6 +93,7 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
+Patch2:         pam_modutil_get-overwrite-password-at-free.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
@@ -214,7 +216,6 @@ CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
       -Dhtmldir=%{_docdir}/pam/html \
       -Dpdfdir=%{_docdir}/pam/pdf \
       -Dsecuredir=%{_pam_moduledir} \
-       -Dpam_unix-try-getspnam=true \
 %if "%{flavor}" != "full"
       -Dlogind=disabled \
       -Dpam_userdb=disabled \
@@ -222,7 +223,6 @@ CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
 %else
       -Dlogind=enabled \
 %endif
-       -Dpwaccess=disabled \
       -Delogind=disabled \
       -Dexamples=false \
       -Dnis=disabled
@@ -290,7 +290,7 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 # /run/motd.d
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf

-mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d,pam_env.conf.d}
+mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}

 # Remove manual pages for main package
 %if !%{build_doc}
@@ -351,7 +351,6 @@ done
 %{_pam_secdistconfdir}/group.conf
 %{_pam_secdistconfdir}/faillock.conf
 %{_pam_secdistconfdir}/pam_env.conf
-%dir %{_pam_secdistconfdir}/pam_env.conf.d
 %if %{with selinux}
 %{_pam_secdistconfdir}/sepermit.conf
 %endif
--- a/pam_modutil_get-overwrite-password-at-free.patch
+++ b/pam_modutil_get-overwrite-password-at-free.patch
@@ -0,0 +1,162 @@
+From e2fdc55d9d8d277c9395f96c3bf2938bacc84f62 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Thu, 14 Aug 2025 12:01:25 +0200
+Subject: [PATCH] pam_modutil_get*: overwrite password at free (#846)
+
+Make sure that the buffer containing encrypted passwords (struct group,
+passwd and shadow) get's erased before free, so that they are not
+available anymore if the memory get allocated again.
+---
+ libpam/pam_modutil_cleanup.c  | 40 +++++++++++++++++++++++++++++++++++
+ libpam/pam_modutil_getgrgid.c |  2 +-
+ libpam/pam_modutil_getgrnam.c |  2 +-
+ libpam/pam_modutil_getpwnam.c |  2 +-
+ libpam/pam_modutil_getpwuid.c |  2 +-
+ libpam/pam_modutil_getspnam.c |  2 +-
+ libpam/pam_modutil_private.h  |  9 ++++++++
+ 7 files changed, 54 insertions(+), 5 deletions(-)
+
+diff --git a/libpam/pam_modutil_cleanup.c b/libpam/pam_modutil_cleanup.c
+index 2077cbd7..46233736 100644
+--- a/libpam/pam_modutil_cleanup.c
+++ b/libpam/pam_modutil_cleanup.c
+@@ -5,8 +5,12 @@
+  */
+ 
+ #include "pam_modutil_private.h"
+#include "pam_inline.h"
+ 
+#include <grp.h>
+#include <pwd.h>
+ #include <stdlib.h>
+#include <shadow.h>
+ 
+ void
+ pam_modutil_cleanup (pam_handle_t *pamh UNUSED, void *data,
+@@ -15,3 +19,39 @@ pam_modutil_cleanup (pam_handle_t *pamh UNUSED, void *data,
+ 	/* junk it */
+ 	free(data);
+ }
+
+void
+pam_modutil_cleanup_group (pam_handle_t *pamh UNUSED, void *data,
+			   int error_status UNUSED)
+{
+	struct group *gr = data;
+
+	if (gr && gr->gr_passwd)
+		pam_overwrite_string(gr->gr_passwd);
+
+	free(data);
+}
+
+void
+pam_modutil_cleanup_passwd (pam_handle_t *pamh UNUSED, void *data,
+			    int error_status UNUSED)
+{
+	struct passwd *pw = data;
+
+	if (pw && pw->pw_passwd)
+		pam_overwrite_string(pw->pw_passwd);
+
+	free(data);
+}
+
+void
+pam_modutil_cleanup_shadow (pam_handle_t *pamh UNUSED, void *data,
+			    int error_status UNUSED)
+{
+	struct spwd *sp = data;
+
+	if (sp && sp->sp_pwdp)
+		pam_overwrite_string(sp->sp_pwdp);
+
+	free(data);
+}
+diff --git a/libpam/pam_modutil_getgrgid.c b/libpam/pam_modutil_getgrgid.c
+index 6c2bb31b..fa3436c5 100644
+--- a/libpam/pam_modutil_getgrgid.c
+++ b/libpam/pam_modutil_getgrgid.c
+@@ -62,7 +62,7 @@ pam_modutil_getgrgid(pam_handle_t *pamh, gid_t gid)
+ 		    status = PAM_NO_MODULE_DATA;
+ 	            if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
+ 		        status = pam_set_data(pamh, data_name,
+-					      result, pam_modutil_cleanup);
+					      result, pam_modutil_cleanup_group);
+ 		    }
+ 		    free(data_name);
+ 		    if (status == PAM_SUCCESS) {
+diff --git a/libpam/pam_modutil_getgrnam.c b/libpam/pam_modutil_getgrnam.c
+index 418b9e47..533a8ce6 100644
+--- a/libpam/pam_modutil_getgrnam.c
+++ b/libpam/pam_modutil_getgrnam.c
+@@ -62,7 +62,7 @@ pam_modutil_getgrnam(pam_handle_t *pamh, const char *group)
+ 		    status = PAM_NO_MODULE_DATA;
+ 	            if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
+ 		        status = pam_set_data(pamh, data_name,
+-					      result, pam_modutil_cleanup);
+					      result, pam_modutil_cleanup_group);
+ 		    }
+ 		    free(data_name);
+ 		    if (status == PAM_SUCCESS) {
+diff --git a/libpam/pam_modutil_getpwnam.c b/libpam/pam_modutil_getpwnam.c
+index 5701ba9c..de654aeb 100644
+--- a/libpam/pam_modutil_getpwnam.c
+++ b/libpam/pam_modutil_getpwnam.c
+@@ -62,7 +62,7 @@ pam_modutil_getpwnam(pam_handle_t *pamh, const char *user)
+ 		    status = PAM_NO_MODULE_DATA;
+ 	            if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
+ 		        status = pam_set_data(pamh, data_name,
+-					      result, pam_modutil_cleanup);
+					      result, pam_modutil_cleanup_passwd);
+ 		    }
+ 		    free(data_name);
+ 		    if (status == PAM_SUCCESS) {
+diff --git a/libpam/pam_modutil_getpwuid.c b/libpam/pam_modutil_getpwuid.c
+index d3bb7231..6534958c 100644
+--- a/libpam/pam_modutil_getpwuid.c
+++ b/libpam/pam_modutil_getpwuid.c
+@@ -62,7 +62,7 @@ pam_modutil_getpwuid(pam_handle_t *pamh, uid_t uid)
+ 		    status = PAM_NO_MODULE_DATA;
+ 	            if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
+ 		        status = pam_set_data(pamh, data_name,
+-					      result, pam_modutil_cleanup);
+					      result, pam_modutil_cleanup_passwd);
+ 		    }
+ 		    free(data_name);
+ 		    if (status == PAM_SUCCESS) {
+diff --git a/libpam/pam_modutil_getspnam.c b/libpam/pam_modutil_getspnam.c
+index 9aa6ac9a..9733eda0 100644
+--- a/libpam/pam_modutil_getspnam.c
+++ b/libpam/pam_modutil_getspnam.c
+@@ -62,7 +62,7 @@ pam_modutil_getspnam(pam_handle_t *pamh, const char *user)
+ 		    status = PAM_NO_MODULE_DATA;
+ 	            if (pam_get_data(pamh, data_name, &ignore) != PAM_SUCCESS) {
+ 		        status = pam_set_data(pamh, data_name,
+-					      result, pam_modutil_cleanup);
+					      result, pam_modutil_cleanup_shadow);
+ 		    }
+ 		    free(data_name);
+ 		    if (status == PAM_SUCCESS) {
+diff --git a/libpam/pam_modutil_private.h b/libpam/pam_modutil_private.h
+index 98a30f68..611c7696 100644
+--- a/libpam/pam_modutil_private.h
+++ b/libpam/pam_modutil_private.h
+@@ -20,5 +20,14 @@
+ extern void
+ pam_modutil_cleanup(pam_handle_t *pamh, void *data,
+                     int error_status);
+extern void
+pam_modutil_cleanup_group(pam_handle_t *pamh, void *data,
+			  int error_status);
+extern void
+pam_modutil_cleanup_passwd(pam_handle_t *pamh, void *data,
+			   int error_status);
+extern void
+pam_modutil_cleanup_shadow(pam_handle_t *pamh, void *data,
+			   int error_status);
+ 
+ #endif /* PAMMODUTIL_PRIVATE_H */
+-- 
+2.50.1
+