Hi Salvatore, Thanks a bunch for the fix. OK with that NMU from my side. Best, nicoo On Mon, Jun 07, 2021 at 10:30:35PM +0200, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: carnil@debian.org > > Hi Release Team, > > Please unblock package pam-u2f > > [ Reason / Impact ] > pam-u2f 1.1.0 upstream and so in Debian bullseye was affected by > CVE-2021-31924, #987545. which can lead, depending on the pam-u2f > configuration and the application used, to local PIN bypass. > > [ Tests ] > None specific, the enabled tests pass. > (What automated or manual tests cover the affected code?) > > [ Risks ] > Small, the patch applied comes from upstream for the affected branch > and is targeted. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock pam-u2f/1.1.0-1.1 > > Regards, > Salvatore > diff -Nru pam-u2f-1.1.0/debian/changelog pam-u2f-1.1.0/debian/changelog > --- pam-u2f-1.1.0/debian/changelog 2020-11-02 13:49:23.000000000 +0100 > +++ pam-u2f-1.1.0/debian/changelog 2021-06-05 15:04:24.000000000 +0200 > @@ -1,3 +1,10 @@ > +pam-u2f (1.1.0-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Handle converse() returning NULL (CVE-2021-31924) (Closes: #987545) > + > + -- Salvatore Bonaccorso <carnil@debian.org> Sat, 05 Jun 2021 15:04:24 +0200 > + > pam-u2f (1.1.0-1) unstable; urgency=low > > * New upstream version 1.1.0 (2020-09-17) > diff -Nru pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch > --- pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch 1970-01-01 01:00:00.000000000 +0100 > +++ pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch 2021-06-05 15:04:24.000000000 +0200 > @@ -0,0 +1,37 @@ > +From: pedro martelletto <pedro@yubico.com> > +Date: Wed, 19 May 2021 09:08:44 +0200 > +Subject: Handle converse() returning NULL > +Origin: https://github.com/Yubico/pam-u2f/commit/6059b057dd9b6d0164fc16f9422c0d728f902bb5 > +Bug: https://github.com/Yubico/pam-u2f/issues/175 > +Bug-Debian: https://bugs.debian.org/987545 > +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31924 > + > +If a PIN is required and converse() returns NULL, abort the > +authentication flow instead of reverting to FIDO2 without PIN. > +Fixes #175. > +--- > + util.c | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/util.c b/util.c > +index 3ea1bd2be7e6..fb07dc70d545 100644 > +--- a/util.c > ++++ b/util.c > +@@ -1379,8 +1379,13 @@ int do_authentication(const cfg_t *cfg, const device_t *devices, > + goto out; > + } > + > +- if (pin_verification == FIDO_OPT_TRUE) > ++ if (pin_verification == FIDO_OPT_TRUE) { > + pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: "); > ++ if (pin == NULL) { > ++ D(cfg->debug_file, "converse() returned NULL"); > ++ goto out; > ++ } > ++ } > + if (user_presence == FIDO_OPT_TRUE || > + user_verification == FIDO_OPT_TRUE) { > + if (cfg->manual == 0 && cfg->cue && !cued) { > +-- > +2.32.0.rc0 > + > diff -Nru pam-u2f-1.1.0/debian/patches/series pam-u2f-1.1.0/debian/patches/series > --- pam-u2f-1.1.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 > +++ pam-u2f-1.1.0/debian/patches/series 2021-06-05 15:04:24.000000000 +0200 > @@ -0,0 +1 @@ > +Handle-converse-returning-NULL.patch
Attachment:
signature.asc
Description: PGP signature