Hi Salvatore,
Thanks a bunch for the fix.
OK with that NMU from my side.
Best,
nicoo
On Mon, Jun 07, 2021 at 10:30:35PM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: carnil@debian.org
>
> Hi Release Team,
>
> Please unblock package pam-u2f
>
> [ Reason / Impact ]
> pam-u2f 1.1.0 upstream and so in Debian bullseye was affected by
> CVE-2021-31924, #987545. which can lead, depending on the pam-u2f
> configuration and the application used, to local PIN bypass.
>
> [ Tests ]
> None specific, the enabled tests pass.
> (What automated or manual tests cover the affected code?)
>
> [ Risks ]
> Small, the patch applied comes from upstream for the affected branch
> and is targeted.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> unblock pam-u2f/1.1.0-1.1
>
> Regards,
> Salvatore
> diff -Nru pam-u2f-1.1.0/debian/changelog pam-u2f-1.1.0/debian/changelog
> --- pam-u2f-1.1.0/debian/changelog 2020-11-02 13:49:23.000000000 +0100
> +++ pam-u2f-1.1.0/debian/changelog 2021-06-05 15:04:24.000000000 +0200
> @@ -1,3 +1,10 @@
> +pam-u2f (1.1.0-1.1) unstable; urgency=medium
> +
> + * Non-maintainer upload.
> + * Handle converse() returning NULL (CVE-2021-31924) (Closes: #987545)
> +
> + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 05 Jun 2021 15:04:24 +0200
> +
> pam-u2f (1.1.0-1) unstable; urgency=low
>
> * New upstream version 1.1.0 (2020-09-17)
> diff -Nru pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch
> --- pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch 1970-01-01 01:00:00.000000000 +0100
> +++ pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch 2021-06-05 15:04:24.000000000 +0200
> @@ -0,0 +1,37 @@
> +From: pedro martelletto <pedro@yubico.com>
> +Date: Wed, 19 May 2021 09:08:44 +0200
> +Subject: Handle converse() returning NULL
> +Origin: https://github.com/Yubico/pam-u2f/commit/6059b057dd9b6d0164fc16f9422c0d728f902bb5
> +Bug: https://github.com/Yubico/pam-u2f/issues/175
> +Bug-Debian: https://bugs.debian.org/987545
> +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31924
> +
> +If a PIN is required and converse() returns NULL, abort the
> +authentication flow instead of reverting to FIDO2 without PIN.
> +Fixes #175.
> +---
> + util.c | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/util.c b/util.c
> +index 3ea1bd2be7e6..fb07dc70d545 100644
> +--- a/util.c
> ++++ b/util.c
> +@@ -1379,8 +1379,13 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
> + goto out;
> + }
> +
> +- if (pin_verification == FIDO_OPT_TRUE)
> ++ if (pin_verification == FIDO_OPT_TRUE) {
> + pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
> ++ if (pin == NULL) {
> ++ D(cfg->debug_file, "converse() returned NULL");
> ++ goto out;
> ++ }
> ++ }
> + if (user_presence == FIDO_OPT_TRUE ||
> + user_verification == FIDO_OPT_TRUE) {
> + if (cfg->manual == 0 && cfg->cue && !cued) {
> +--
> +2.32.0.rc0
> +
> diff -Nru pam-u2f-1.1.0/debian/patches/series pam-u2f-1.1.0/debian/patches/series
> --- pam-u2f-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
> +++ pam-u2f-1.1.0/debian/patches/series 2021-06-05 15:04:24.000000000 +0200
> @@ -0,0 +1 @@
> +Handle-converse-returning-NULL.patch
Attachment:
signature.asc
Description: PGP signature