|Summary:||<sys-libs/pam-1.5.1: authentication bypass (CVE-2020-27780)|
|Product:||Gentoo Security||Reporter:||John Helmert III <ajak>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A1 [glsa+ cve]|
|Package list:||Runtime testing required:||---|
Description John Helmert III 2020-11-24 17:43:21 UTC
From the changelog at $URL: Release 1.5.1 * pam_unix: fixed CVE-2020-27780 - authentication bypass when an user doesn't exist and root password is blank According to the issue this appears to be actively exploited in the wild: https://github.com/linux-pam/linux-pam/issues/284 The only affected version is 1.5.0 accord to SUSE (https://www.openwall.com/lists/oss-security/2020/11/24/3), that version is all unstable for us so this will be a trivial bug.
Comment 1 John Helmert III 2020-11-24 17:44:13 UTC
Comment 2 Lars Wendler (Polynomial-C) 2020-11-25 11:18:35 UTC
Created attachment 674839 [details, diff] pam-1.5.0-CVE-2020-27780.patch Upstream fix as patch file...
Comment 3 Mikle Kolyada 2020-11-25 17:02:21 UTC
Comment on attachment 674839 [details, diff] pam-1.5.0-CVE-2020-27780.patch I am really waiting for the release here. It is on the way.