CVE-2025-6018 is a local privilege escalation in PAM that requires
`user_readenv=1` to be enabled in the PAM configuration. The default
configuration does not enable reading user environment files (user_readenv
is 0 by default). Hence this vulnerability cannot be exploited using the
default configuration.
(From OE-Core rev: 3f2a9ad03326dc87681cf47ed5f73712ebaa624c)
Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It was added by original commit for CVE-2025-6020-01.patch
475bd60c55 (diff-05f443e6acbe32a148a45648148739bf6f02f13acc5c20c6037bf933223d4d77)
but removed here in the rebase, causing:
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:11: error: call to undeclared function 'dirname'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
326 | parent = dirname(buf);
| ^
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:9: error: incompatible integer to pointer conversion assigning to 'char*' from 'int' [-Wint-conversion]
326 | parent = dirname(buf);
| ^ ~~~~~~~~~~~~
(From OE-Core rev: 6d88a28ac7b6ff61808eb46e5c85dabd17c77f2e)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from b7b9636208
(From OE-Core rev: 78a04ce17e7d828c0cf8cae2164882683d46275e)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in PAM. The secret information is
stored in memory, where the attacker can trigger the victim
program to execute by sending characters to its standard
input (stdin). As this occurs, the attacker can train the
branch predictor to execute an ROP chain speculatively.
This flaw could result in leaked passwords, such as those
found in /etc/shadow while performing authentications.
References:
https://security-tracker.debian.org/tracker/CVE-2024-10041
Upstream patches:
b3020da7da
(From OE-Core rev: 0e76d9bf150ac3bf96081cc1bda07e03e16fe994)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
cracklib was dropped as a dependency in libpam v1.5.0
See the following commit as reference:
d702ff714c
(From OE-Core rev: 7d0c32584846f6cd12e5bda046fb7ad8f8821de4)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a patch to fix runtime error in pam_pwhistory module when
selinux is enabled:
root@qemux86-64:~# passwd
passwd: System error
passwd: password unchanged
(From OE-Core rev: a985fb71e30d958dcacdcc75f5bbdd0e49f7478a)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
do_install_ptest is only called if ptest is enabled, so don't guard it
again.
(From OE-Core rev: 7f9d0f331ce5b5292117b3d8c23f747a369cfde6)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since systemd-v255, pam-plugin-umask is pulled in by by the logind
package config for systemd. This causes /etc/environment to be installed
as part of libpam-runtime. In our case, this broke do_rootfs for our
image, because /etc/environment is already provided by another (custom)
recipe.
Fix this by making the /etc/environment file part of the pam-plugin-env
package, which isn't automatically pulled in by systemd-logind. It also
happens to be the where it should be, as the file is installed as part
of the pam_env plugin.
(From OE-Core rev: 778fcc8d2e6eb1bd2c88a6abb14dbd6666720205)
Signed-off-by: Martin Hundebøll <martin@geanix.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Drop dependency on gnu-efi, add dependency on pyelftools for EFI builds
- Refresh patches
- Ship new files and directories
- Use meson target to build sd-boot instead of filenames
- Change libpam recipe to set ANY_OF_DISTRO_FEATURES = "pam systemd" to let
logind pull in pam-plugin-umask
(From OE-Core rev: 95ed1fa4ff74a77deade51ad73b2f8963ff81548)
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This came with latest libpam upgrade
../../Linux-PAM-1.5.3/examples/tty_conv.c:9:10: fatal error: 'termio.h' file not found
^~~~~~~~~~
1 error generated.
(From OE-Core rev: 00b5cbad49ccce7f2886b2e70b93e60e054f8f46)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reproducer:
1.Enable the ptest of libpam and build the image.
2.Boot the rootfs with nfs, then run the following tests as root:
cd /usr/share/Linux-PAM/xtests
/usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd1
/usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd3
After applying this patch, the ptest doesn't be failed.
(From OE-Core rev: 549e54ad6a175359b0a57987ccdab8989df9d3a9)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libpam does not have a direct build time dependency toward flex.
The libpam code does not have any references to the lib and does not use
flex for anything else at runtime.
(From OE-Core rev: d48fc8e1f26120e75377caefb5f66eedce50081c)
Signed-off-by: Martin Larsson <martin.larsson@actia.se>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows
authentication bypass for SSH logins. The pam_access.so module doesn't
correctly restrict login if a user tries to connect from an IP address
that is not resolvable via DNS. In such conditions, a user with denied
access to a machine can still get access. NOTE: the relevance of this
issue is largely limited to openSUSE Tumbleweed and openSUSE Factory;
it does not affect Linux-PAM upstream.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28321
Upstream patches:
08992030c523393bef92
(From OE-Core rev: b1fd799af0086347de1ec4b72d562b1fb490def1)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
/var/run in deprecated by systemd, use /run instead, as suggested by systemd.
This fixes the following systemd boot warning:
systemd-tmpfiles[340]: /etc/tmpfiles.d/pam.conf:1: Line references path
below legacy directory /var/run/, updating /var/run/sepermit →
/run/sepermit; please update the tmpfiles.d/ drop-in file accordingly.
(From OE-Core rev: 09eabeff2168c416c18b1c375e095b472830a9b0)
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In commit ceda3238 (meta/meta-selftest/meta-skeleton: Update LICENSE
variable to use SPDX license identifiers) all LICENSE variables were
updated to only use SPDX license identifiers.
This does the same for comments and other variables where it is
appropriate to use the official SPDX license identifiers. There are
still references to, e.g., "GPLv3", but they are then typically in
descriptive text where they refer to the license in a generic sense.
(From OE-Core rev: 165759dced7fbe73b1db2ede67047896071dc6d0)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch to check whether files exist.
Before the patch:
# ./run-xtests.sh . tst-pam_access1
mv: cannot stat '/etc/security/opasswd': No such file or directory
PASS: tst-pam_access1
mv: cannot stat '/etc/security/opasswd-pam-xtests': No such file or directory
==================
1 tests passed
0 tests not run
==================
After the patch:
# ./run-xtests.sh . tst-pam_access1
PASS: tst-pam_access1
==================
1 tests passed
0 tests not run
==================
(From OE-Core rev: 4903fdbace057df2e39c10aaef3440f89748eed2)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop patches: issues fixed upstream.
Move .pc files to correct place as libpam is instructed to install them in /lib via
--libdir.
(From OE-Core rev: b2aeaab36d7d46d47301d0729b634d182277cfbd)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Make the license more accurate by specifying the specific variant of BSD
license instead of the generic one. This helps with SPDX license
attribution as "BSD" is not a valid SPDX license.
(From OE-Core rev: d9948d0439cf26af9f570e9a9d0d214294bae504)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
tst-pam_start_confdir needs a file called confdir and it should reside
in directory pointed by srcdir env variable, therefore copy confdir into
ptest package and export srcdir before running the ptests
(From OE-Core rev: 149d84b7eba8240737a301d0fd75b69e8a767854)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
from commit b0384720a4,
which upgrade libpam to 1.5.1, packaging is adjustd,
and the binary is packaged into libpam-runtime, so we
don't need to append them to pam-plugin-xxx.
(From OE-Core rev: 7b5a53152c0213f5efcf39c2442bb3b630f8cc09)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These issues are addressed in libpam overtime and no longer needed thusly
in 1.5.x
(From OE-Core rev: 488c554623839d17436333894f9f4b244347de9d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove crypt_configure.patch, issue fixed upstream.
Remove pam-security-abstract-securetty-handling.patch and
pam-unix-nullok-secure.patch, patches coming from debian,
difficult to rebase, and their purpose is unclear.
Disable doc generation, as libpam messes up native and target
compiler options.
Adjust dependencies and packaging.
(From OE-Core rev: 43e3d014748b1ccff25c232b1e6d9345859c0f29)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libpam does not support 'obscure' checks to password,
there are the same checks in pam_cracklib module.
And this fix can remove the below error message while
updating password with 'passwd':
pam_unix(passwd:chauthtok):unrecognized option[obscure]
(From OE-Core rev: ea761dbac90be77797308666fe1586b05e3df824)
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add userdb packageconfig to control the building of the pam_userdb.so module.
This depends on dbm support being compiled in for the berkley db package.
Also, remove "--with-db-uniquename=_pam" from EXTRA_OECONF. It makes the checks
for libdb fail because it searches for the wrong symbols in libdb (and libdb
was not configured with --with-uniquename=_pam option).
db.do_configure:
checking if --with-uniquename=NAME option specified... no
libpam.do_configure:
checking for db_create_pam... no
checking for db_create... no
checking for dbm_store_pam... no
checking for dbm_store... no
checking for dbm_store in -lndbm... no
(From OE-Core rev: 3130f43c51fb9b2aed9bb7805a820ea90e68276a)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Besides checking DISTRO_FEATURES for required or conflicting features,
being able to check MACHINE_FEATURES and/or COMBINED_FEATURES may also
be useful at times.
Temporarily support the old class name with a warning about future
deprecation.
(From OE-Core rev: 5f4875b950ce199e91f99c8e945a0c709166dc14)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recent upgrade to the recipe moved SRC_URI to github. Fix the version
check accordingly.
(From OE-Core rev: 6119272f8855f949d428e12ab4da987d43a6adbf)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Or alternatively GPL, the same as the top-level Linux-PAM COPYING.
(From OE-Core rev: 025c1b384635ef7a85e9f45f048901d6680563ae)
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix handling of escape characters in regexs and hence fix python
Deprecation warnings which will be problematic in python 3.8.
Note that some show up as:
"""
meta/classes/package.bbclass:1293: DeprecationWarning: invalid escape sequence \.
"""
where the problem isn't on 1293 in package.bbclass but in some _prepend to a
package.bbclass function in a different file like mesa.inc, often from
do_package_split() calls.
(From OE-Core rev: 4b1c0c7d5525fc4cea9e0f02ec54e92a6fbc6199)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 994e43acc67efeb33d859be071609daa844e9b77)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* replace do_pam_sanity function with distro_features_check inherit
* fixes:
WARNING: libpam-1.3.0-r5 do_pam_sanity: Building libpam but 'pam' isn't in DISTRO_FEATURES, PAM won't work correctly
in world builds and prevents user to build libpam at all without pam
in DISTRO_FEATURES, I don't see any users of this which wouldn't respect
pam in DISTRO_FEATURES
* only libuser is depending on libpam without respecting DISTRO_FEATURES
* there are few recipes in meta-oe layers depending on libpam without
respecting DISTRO_FEATURES, I've sent patch for them:
samba, openwsman, pam-ssh-agent-auth, sblim-sfcb, passwdqc, python-pam, smbnetfs
and omxplayer in meta-raspberrypi, I've sent PR for that one:
https://github.com/agherzan/meta-raspberrypi/pull/192
* poky-lsb will need to add pam to DISTRO_FEATURES in order to build
packagegroup-core-lsb
(From OE-Core rev: c9e7a276859d38aaa03845ee09428f62760ad147)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
uclibc support was removed a while ago and musl works much better. Start to
remove the various overrides and patches related to uclibc which are no longer
needed.
uclibc support in a layer would still be possible. I have strong reasons to
believe nobody is still using uclibc since patches are missing and I doubt
the metadata even parses anymore.
(From OE-Core rev: 653704e9cf325cb494eb23facca19e9f05132ffd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
