Your message dated Mon, 07 Jun 2021 13:33:46 +0000
with message-id <[email protected]>
and subject line Bug#987545: fixed in pam-u2f 1.1.0-1.1
has caused the Debian Bug report #987545,
regarding libpam-u2f: CVE-2021-31924: libpam_u2f does not require pin
regardless of key definition
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987545: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987545
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-u2f
Version: 1.1.0-1
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: [email protected]
I issued directly against pam-u2f module, at
https://github.com/Yubico/pam-u2f/issues/175
but I am not sure if they want to do anything about it.
I did some digging and found that pin verification flags are used only to print
prompt for pin,
but then there is not checking if pin is not null.
And libuf2 library, in case of null pin does not perform pin checking.
So my PoC solution is attached (I hope this properly release resources)
-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-u2f depends on:
ii libc6 2.31-11
ii libfido2-1 1.6.0-2
ii libpam0g 1.4.0-7
ii libssl1.1 1.1.1k-1
Versions of packages libpam-u2f recommends:
ii pamu2fcfg 1.1.0-1
libpam-u2f suggests no packages.
-- no debconf information
--- pam-u2f-1.1.0/util.c 2020-08-10 09:19:44.000000000 +0200
+++ pam-u2f-1.1.0-kj/util.c 2021-04-25 13:42:44.707869293 +0200
@@ -1370,8 +1370,12 @@
goto out;
}
- if (pin_verification == FIDO_OPT_TRUE)
+ if (pin_verification == FIDO_OPT_TRUE) {
pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
+ if (!pin)
+ goto out;
+
+ }
if (user_presence == FIDO_OPT_TRUE ||
user_verification == FIDO_OPT_TRUE) {
if (cfg->manual == 0 && cfg->cue && !cued) {
--- End Message ---
--- Begin Message ---
Source: pam-u2f
Source-Version: 1.1.0-1.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pam-u2f, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated pam-u2f package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Jun 2021 15:04:24 +0200
Source: pam-u2f
Architecture: source
Version: 1.1.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Authentication Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 987545
Changes:
pam-u2f (1.1.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Handle converse() returning NULL (CVE-2021-31924) (Closes: #987545)
Checksums-Sha1:
8cc1962bd5c11a372f5d1b996bcdc8f71c653038 2446 pam-u2f_1.1.0-1.1.dsc
5d5016e73dfd65c9a1bbfd1d49f142d85edfcc28 44216 pam-u2f_1.1.0-1.1.debian.tar.xz
Checksums-Sha256:
ea72eb59798d191084164da36b5024855a0e683eb865f072cf2f488e09f597ac 2446
pam-u2f_1.1.0-1.1.dsc
069de6cd83ce61194823e4d865a706bd190a3c2b1726b7666dd02c188672c458 44216
pam-u2f_1.1.0-1.1.debian.tar.xz
Files:
769117a66cd51addc42ec8f470bc5bab 2446 admin optional pam-u2f_1.1.0-1.1.dsc
fc312f3cb0cf3b6b540ccef90195fa96 44216 admin optional
pam-u2f_1.1.0-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmC7d2pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EjU0P/1imfdwHJ/I5x9Ax5QmkzYOHu41NnKP5
iqZvSgAF2ac/cnlPJ37iQCz6P/PTOOJvXu3+41Nt/3I9Rf0ssFDFCbF7dpb8eUfj
3wiSWlySoBqhrsWvG0BU/b/6Iurfbr9tpVTZlCv7MqpQ9a9PhVPDno8rqGq60zdy
eO164j8Yo2O4wDszdn6JdppVyRpvL+qgiSkSfz7kBpmQIiFUW8+r7Fmr8qlOhTHf
jBSXUrzCTBNyeg0ZF1OuXRqLHEbTHl7w9d2cDty8BkFg6y3J2x/IBswxUJjjT/Kw
EQZGeTHe7xhk8pdcrFKNr8VdNR3cT3MO+4+PyH+tuxObhJEaQTUNeIORMsHbsTne
p4JrY+ROIPUMd+VrxOLAcCiCeSHojjNi/BRPRe+OLYsaJe4Bby/FXEFEGhn12HGA
dcoNHEbVfcSG59gJcBuQE/f+kP7npEt7M1GJauwBkP+Ort5rwREuhOyETqVu4HBt
7oOCuuPWC2HOzMxv/DKXWLJH8hFpONk06gwBFnVFZ++taCjIysIdhF09Ep5wu1kG
EngcBm3AJHJOtpwFHukJzpHNjYGQJQm4mq9vVKqU8Xbo4cJx0PVJ+WzTb5Io0nB1
SiIKl8UgSlBIKz6GIxh0RIEj/e0Rg3jHeTCsiV+Pw3Z4kYxdzSvPebxaqRU5jgHH
D/A5VoChJ3g8
=ngjR
-----END PGP SIGNATURE-----
--- End Message ---
