Linux-PAM-1.6.0

[Bruce Dubbs]

New minor version.

[Douglas R. Reno]

Fixes a CVE in pam_namespace.so: CVE-2024-22365. It appears to be a local denial of service, rated at Medium

[Xi Ruoyao]

Replying to Douglas R. Reno:

Fixes a CVE in pam_namespace.so: CVE-2024-22365. It appears to be a local denial of service, rated at Medium

BLFS pam configuration does not use it anyway. It is referred in the /etc/pam.d/systemd-user file shipped by systemd but we are recreating it.

[Douglas R. Reno]

Noteworthy changes in Linux-PAM 1.6.0

    Added support of configuration files with arbitrarily long lines.
    build: fixed build outside of the source tree.
    libpam: added use of getrandom(2) as a source of randomness if available.
    libpam: fixed calculation of fail delay with very long delays.
    libpam: fixed potential infinite recursion with includes.
    libpam: implemented string to number conversions validation when parsing
    controls in configuration.
    pam_access: added quiet_log option.
    pam_access: fixed truncation of very long group names.
    pam_canonicalize_user: new module to canonicalize user name.
    pam_echo: fixed file handling to prevent overflows and short reads.
    pam_env: added support of '' character in environment variable values.
    pam_exec: allowed expose_authtok for password PAM_TYPE.
    pam_exec: fixed stack overflow with binary output of programs.
    pam_faildelay: implemented parameter ranges validation.
    pam_listfile: changed to treat \r and \n exactly the same in configuration.
    pam_mkhomedir: hardened directory creation against timing attacks.
    Please note that using *at functions leads to more open file handles
    during creation.
    pam_namespace: fixed potential local DoS (CVE-2024-22365).
    pam_nologin: fixed file handling to prevent short reads.
    pam_pwhistory: helper binary is now built only if SELinux support is enabled.
    pam_pwhistory: implemented reliable usernames handling when remembering
    passwords.
    pam_shells: changed to allow shell entries with absolute paths only.
    pam_succeed_if: fixed treating empty strings as numerical value 0.
    pam_unix: added support of disabled password aging.
    pam_unix: synchronized password aging with shadow.
    pam_unix: implemented string to number conversions validation.
    pam_unix: fixed truncation of very long user names.
    pam_unix: corrected rounds retrieval for configured encryption method.
    pam_unix: implemented reliable usernames handling when remembering passwords.
    pam_unix: changed to always run the helper to obtain shadow password entries.
    pam_unix: unix_update helper binary is now built only if SELinux support
    is enabled.
    pam_unix: added audit support to unix_update helper.
    pam_userdb: added gdbm support.
    Multiple minor bug fixes, portability fixes, documentation improvements,
    and translation updates.

It looks like we'll need to drop unix_update and pwhistory_helper from the installed files and descriptions since they now need SELinux

[Douglas R. Reno]

The release notes seem to be incorrect on that. I don't have anything relating to selinux support in my log other than:

checking for getfilecon in -lselinux... no

which makes sense, we don't have SELinux, but I still have:

renodr [ /sources/Linux-PAM-1.6.0/install ]$ ls -l usr/sbin
total 412
-rwxr-xr-x 1 root root  54624 Jan 18 13:34 faillock
-rwxr-xr-x 1 root root  35128 Jan 18 13:34 mkhomedir_helper
-rwxr-xr-x 1 root root    467 Jan 18 13:34 pam_namespace_helper
-rwxr-xr-x 1 root root  32216 Jan 18 13:34 pam_timestamp_check
-rwxr-xr-x 1 root root  52456 Jan 18 13:34 pwhistory_helper
-rwxr-xr-x 1 root root 115336 Jan 18 13:34 unix_chkpwd
-rwxr-xr-x 1 root root 116288 Jan 18 13:34 unix_update

Running these programs just says "This binary is not designed for running in this way", but since it seems to be normal I will leave them in.

[Douglas R. Reno]

Fixed at 3c1cfcf75a9b4c7fced7a57bbe2947805d1db57d

SA-12.0-073 issued, with a note that a normal BLFS system is not affected unless the user has added pam_namespace.so into their configuration.