pam: Add patch to fix CVE-2024-10041 (#11302)

Author: aditjha-msft

SPECS/pam/CVE-2024-10041.patch

@@ -0,0 +1,82 @@
+From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@strace.io>
+Date: Mon, 1 Jan 2024 12:00:00 +0000
+Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow
+ password file entries
+
+Initially, when pam_unix.so verified the password, it used to try to
+obtain the shadow password file entry for the given user by invoking
+getspnam(3), and only when that didn't work and the effective uid
+was nonzero, pam_unix.so used to invoke the helper as a fallback.
+
+When SELinux support was introduced by commit
+67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended
+also for the case when SELinux was enabled.
+
+Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the
+fallback conditions for the case when pam_modutil_getspnam() failed
+with EACCES.
+
+Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is
+invoked as a fallback when pam_modutil_getspnam() fails for any reason.
+
+The ultimate solution for the case when pam_unix.so does not have
+permissions to obtain the shadow password file entry is to stop trying
+to use pam_modutil_getspnam() and to invoke the helper instead.
+Here are two recent examples.
+
+https://github.com/linux-pam/linux-pam/pull/484 describes a system
+configuration where libnss_systemd is enabled along with libnss_files
+in the shadow entry of nsswitch.conf, so when libnss_files is unable
+to obtain the shadow password file entry for the root user, e.g. when
+SELinux is enabled, NSS falls back to libnss_systemd which returns
+a synthesized shadow password file entry for the root user, which
+in turn locks the root user out.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes
+essentially the same problem in a similar system configuration.
+
+This commit is the final step in the direction of addressing the issue:
+for password verification pam_unix.so now invokes the helper instead of
+making the pam_modutil_getspnam() call.
+
+* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]:
+Always return PAM_UNIX_RUN_HELPER instead of trying to obtain
+the shadow password file entry.
+
+Complements: https://github.com/linux-pam/linux-pam/pull/386
+Resolves: https://github.com/linux-pam/linux-pam/pull/484
+Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
+---
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index f6132f8..7ab674b 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -239,17 +239,21 @@ PAMH_ARG_DECL(int get_account_info,
+ 			return PAM_UNIX_RUN_HELPER;
+ #endif
+ 		} else if (is_pwd_shadowed(*pwd)) {
++#ifdef HELPER_COMPILE
+ 			/*
+-			 * ...and shadow password file entry for this user,
++			 * shadow password file entry for this user,
+ 			 * if shadowing is enabled
+ 			 */
+-#ifndef HELPER_COMPILE
+-			if (geteuid() || SELINUX_ENABLED)
+-				return PAM_UNIX_RUN_HELPER;
+-#endif
+-			*spwdent = pam_modutil_getspnam(pamh, name);
++			*spwdent = getspnam(name);
+ 			if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ 				return PAM_AUTHINFO_UNAVAIL;
++#else
++			/*
++			 * The helper has to be invoked to deal with
++			 * the shadow password file entry.
++			 */
++			 return PAM_UNIX_RUN_HELPER;
++#endif
+ 		}
+ 	} else {
+ 		return PAM_USER_UNKNOWN;

SPECS/pam/pam.spec

@@ -1,7 +1,7 @@
 Summary:        Linux Pluggable Authentication Modules
 Name:           pam
 Version:        1.5.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        BSD and GPLv2+
 URL:            https://github.com/linux-pam/linux-pam
 Source0:        https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz
@@ -15,6 +15,7 @@ Requires:       audit-libs
 Recommends:     cracklib-dicts
 
 Patch0:         CVE-2024-22365.patch
+Patch1:         CVE-2024-10041.patch
 
 %description
 The Linux PAM package contains Pluggable Authentication Modules used to
@@ -100,6 +101,9 @@ EOF
 %{_docdir}/%{name}-%{version}/*
 
 %changelog
+* Tue Dec 03 2024 Adit Jha <aditjha@microsoft.com> - 1.5.1-7
+- Add patch for CVE-2024-10041
+
 * Fri Mar 08 2024 Saul Paredes <saulparedes@microsoft.com> - 1.5.1-6
 - Add patch for CVE-2024-22365
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -281,10 +281,10 @@ p11-kit-debuginfo-0.24.1-1.cm2.aarch64.rpm
 p11-kit-devel-0.24.1-1.cm2.aarch64.rpm
 p11-kit-server-0.24.1-1.cm2.aarch64.rpm
 p11-kit-trust-0.24.1-1.cm2.aarch64.rpm
-pam-1.5.1-6.cm2.aarch64.rpm
-pam-debuginfo-1.5.1-6.cm2.aarch64.rpm
-pam-devel-1.5.1-6.cm2.aarch64.rpm
-pam-lang-1.5.1-6.cm2.aarch64.rpm
+pam-1.5.1-7.cm2.aarch64.rpm
+pam-debuginfo-1.5.1-7.cm2.aarch64.rpm
+pam-devel-1.5.1-7.cm2.aarch64.rpm
+pam-lang-1.5.1-7.cm2.aarch64.rpm
 patch-2.7.6-8.cm2.aarch64.rpm
 patch-debuginfo-2.7.6-8.cm2.aarch64.rpm
 pcre-8.45-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -287,10 +287,10 @@ p11-kit-debuginfo-0.24.1-1.cm2.x86_64.rpm
 p11-kit-devel-0.24.1-1.cm2.x86_64.rpm
 p11-kit-server-0.24.1-1.cm2.x86_64.rpm
 p11-kit-trust-0.24.1-1.cm2.x86_64.rpm
-pam-1.5.1-6.cm2.x86_64.rpm
-pam-debuginfo-1.5.1-6.cm2.x86_64.rpm
-pam-devel-1.5.1-6.cm2.x86_64.rpm
-pam-lang-1.5.1-6.cm2.x86_64.rpm
+pam-1.5.1-7.cm2.x86_64.rpm
+pam-debuginfo-1.5.1-7.cm2.x86_64.rpm
+pam-devel-1.5.1-7.cm2.x86_64.rpm
+pam-lang-1.5.1-7.cm2.x86_64.rpm
 patch-2.7.6-8.cm2.x86_64.rpm
 patch-debuginfo-2.7.6-8.cm2.x86_64.rpm
 pcre-8.45-2.cm2.x86_64.rpm