Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 756361 (CVE-2020-27780) - <sys-libs/pam-1.5.1: authentication bypass (CVE-2020-27780)
Summary: <sys-libs/pam-1.5.1: authentication bypass (CVE-2020-27780)
Status: RESOLVED FIXED
Alias: CVE-2020-27780
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://github.com/linux-pam/linux-pa...
Whiteboard: A1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-24 17:43 UTC by John Helmert III
Modified: 2020-12-07 00:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
pam-1.5.0-CVE-2020-27780.patch (pam-1.5.0-CVE-2020-27780.patch,2.71 KB, patch)
2020-11-25 11:18 UTC, Lars Wendler (Polynomial-C) (RETIRED) 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-24 17:43:21 UTC 
From the changelog at $URL:

Release 1.5.1 
* pam_unix: fixed CVE-2020-27780 - authentication bypass when an
            user doesn't exist and root password is blank

According to the issue this appears to be actively exploited in the wild:
https://github.com/linux-pam/linux-pam/issues/284

The only affected version is 1.5.0 accord to SUSE (https://www.openwall.com/lists/oss-security/2020/11/24/3), that version is all unstable for us so this will be a trivial bug.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-24 17:44:13 UTC 
Please bump.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-11-25 11:18:35 UTC 
Created attachment 674839 [details, diff]
pam-1.5.0-CVE-2020-27780.patch

Upstream fix as patch file...
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-11-25 17:02:21 UTC 
Comment on attachment 674839 [details, diff]
pam-1.5.0-CVE-2020-27780.patch

I am really waiting for the release here. It is on the way.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-12-07 00:38:57 UTC 
This issue was resolved and addressed in
 GLSA 202012-06 at https://security.gentoo.org/glsa/202012-06
by GLSA coordinator Thomas Deutschmann (whissi).