Bug#989573: marked as done (unblock: pam-u2f/1.1.0-1.1)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#989573: marked as done (unblock: pam-u2f/1.1.0-1.1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 08 Jun 2021 21:24:03 +0000
Message-id: <[🔎] handler.989573.D989573.162318724110474.ackdone@bugs.debian.org>
Reply-to: 989573@bugs.debian.org
References: <E1lqj9L-0000HU-Ds@respighi.debian.org> <[🔎] 162309783564.50736.530039124183480450.reportbug@eldamar.lan>

Your message dated Tue, 08 Jun 2021 21:20:39 +0000
with message-id <E1lqj9L-0000HU-Ds@respighi.debian.org>
and subject line unblock pam-u2f
has caused the Debian Bug report #989573,
regarding unblock: pam-u2f/1.1.0-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989573
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: pam-u2f/1.1.0-1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 07 Jun 2021 22:30:35 +0200
Message-id: <[🔎] 162309783564.50736.530039124183480450.reportbug@eldamar.lan>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org

Hi Release Team,

Please unblock package pam-u2f

[ Reason / Impact ]
pam-u2f 1.1.0 upstream and so in Debian bullseye was affected by
CVE-2021-31924, #987545. which can lead, depending on the pam-u2f
configuration and the application used, to local PIN bypass.

[ Tests ]
None specific, the enabled tests pass.
(What automated or manual tests cover the affected code?)

[ Risks ]
Small, the patch applied comes from upstream for the affected branch
and is targeted.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pam-u2f/1.1.0-1.1

Regards,
Salvatore

diff -Nru pam-u2f-1.1.0/debian/changelog pam-u2f-1.1.0/debian/changelog
--- pam-u2f-1.1.0/debian/changelog	2020-11-02 13:49:23.000000000 +0100
+++ pam-u2f-1.1.0/debian/changelog	2021-06-05 15:04:24.000000000 +0200
@@ -1,3 +1,10 @@
+pam-u2f (1.1.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle converse() returning NULL (CVE-2021-31924) (Closes: #987545)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 05 Jun 2021 15:04:24 +0200
+
 pam-u2f (1.1.0-1) unstable; urgency=low
 
   * New upstream version 1.1.0 (2020-09-17)
diff -Nru pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch
--- pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch	1970-01-01 01:00:00.000000000 +0100
+++ pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch	2021-06-05 15:04:24.000000000 +0200
@@ -0,0 +1,37 @@
+From: pedro martelletto <pedro@yubico.com>
+Date: Wed, 19 May 2021 09:08:44 +0200
+Subject: Handle converse() returning NULL
+Origin: https://github.com/Yubico/pam-u2f/commit/6059b057dd9b6d0164fc16f9422c0d728f902bb5
+Bug: https://github.com/Yubico/pam-u2f/issues/175
+Bug-Debian: https://bugs.debian.org/987545
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31924
+
+If a PIN is required and converse() returns NULL, abort the
+authentication flow instead of reverting to FIDO2 without PIN.
+Fixes #175.
+---
+ util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/util.c b/util.c
+index 3ea1bd2be7e6..fb07dc70d545 100644
+--- a/util.c
++++ b/util.c
+@@ -1379,8 +1379,13 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
+           goto out;
+         }
+ 
+-        if (pin_verification == FIDO_OPT_TRUE)
++        if (pin_verification == FIDO_OPT_TRUE) {
+           pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
++          if (pin == NULL) {
++            D(cfg->debug_file, "converse() returned NULL");
++            goto out;
++          }
++        }
+         if (user_presence == FIDO_OPT_TRUE ||
+             user_verification == FIDO_OPT_TRUE) {
+           if (cfg->manual == 0 && cfg->cue && !cued) {
+-- 
+2.32.0.rc0
+
diff -Nru pam-u2f-1.1.0/debian/patches/series pam-u2f-1.1.0/debian/patches/series
--- pam-u2f-1.1.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ pam-u2f-1.1.0/debian/patches/series	2021-06-05 15:04:24.000000000 +0200
@@ -0,0 +1 @@
+Handle-converse-returning-NULL.patch

--- End Message ---

--- Begin Message ---

To: 989573-done@bugs.debian.org

Subject: unblock pam-u2f

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Tue, 08 Jun 2021 21:20:39 +0000

Message-id: <E1lqj9L-0000HU-Ds@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#989573: unblock: pam-u2f/1.1.0-1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#989448: marked as done (unblock: htmldoc/1.9.11-4)
Next by Date: Bug#989582: marked as done (unblock: darktable/3.4.1-4)
Previous by thread: Bug#989573: unblock: pam-u2f/1.1.0-1.1
Next by thread: Bug#989582: unblock: darktable/3.4.1-4
Index(es):
- Date
- Thread