922397 – <sys-libs/pam-1.6.1: local denial of service vulnerability in `pam_namespace.so`

Bug 922397 - <sys-libs/pam-1.6.1: local denial of service vulnerability in `pam_namespace.so`

Summary: <sys-libs/pam-1.6.1: local denial of service vulnerability in `pam_namespace.so`

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	A3 [stable?]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2024-01-18 16:00 UTC by Christopher Fore
Modified:	2024-05-03 08:23 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/36365
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Fore 2024-01-18 16:00:04 UTC

CVE-2024-22365:

The PAM module explicitly supports bind mounting of polyinstantiated
directories in user controlled locations, like beneath the user's home
directory. Operating with root privileges in user controlled directories
comes with a lot of dangers. To avoid them the function `protect_dir()`
implements a special algorithm to protect the target path of a bind
mount.

The function follows the target path for the bind mount starting from
the file system root. Each path component that is under non-root control
is protected from user manipulation, by bind mounting the path upon
itself.

While this approach feels unusual, it should be effective to prevent any
shenanigans on the side of the unprivileged user for whom the directory
is mounted.

There is one bit missing though: The algorithm is not passing the
`O_DIRECTORY` flag to `openat()` and is thus subject to special files like
FIFOs being placed in user controlled directories. This can easily be
reproduced e.g. using this configuration entry in the `namespace.conf`
configuration file:

    $HOME/tmp /var/tmp/tmp-inst/ user:create root

An unprivileged user (that is not yet in a corresponding mount namespace
with ~/tmp mounted as a polyinstantiated dir) can now place a FIFO
there:

    nobody$ mkfifo $HOME/tmp

A subsequent attempt to login as this user with `pam_namespace`
configured will cause the `openat()` in `protect_dir()` to block,
causing a local denial of service.



The above is fixed in 1.6.0 and in this commit: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb

Comment 1 Larry the Git Cow gentoo-dev

2024-05-03 08:21:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d95186284e3334576810a06047ffc4922c98e838

commit d95186284e3334576810a06047ffc4922c98e838
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-22 21:27:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-03 08:12:52 +0000

    sys-libs/pam: add 1.6.1, security bump
    
    - Remove patch that is now included in 1.6.1
    - Tests pass
    
    [sam: Add USE=examples.]
    
    Bug: https://bugs.gentoo.org/922397
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36365
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-libs/pam/Manifest         |   2 +
 sys-libs/pam/pam-1.6.1.ebuild | 150 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 152 insertions(+)