[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989573: unblock: pam-u2f/1.1.0-1.1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org

Hi Release Team,

Please unblock package pam-u2f

[ Reason / Impact ]
pam-u2f 1.1.0 upstream and so in Debian bullseye was affected by
CVE-2021-31924, #987545. which can lead, depending on the pam-u2f
configuration and the application used, to local PIN bypass.

[ Tests ]
None specific, the enabled tests pass.
(What automated or manual tests cover the affected code?)

[ Risks ]
Small, the patch applied comes from upstream for the affected branch
and is targeted.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pam-u2f/1.1.0-1.1

Regards,
Salvatore

diff -Nru pam-u2f-1.1.0/debian/changelog pam-u2f-1.1.0/debian/changelog
--- pam-u2f-1.1.0/debian/changelog	2020-11-02 13:49:23.000000000 +0100
+++ pam-u2f-1.1.0/debian/changelog	2021-06-05 15:04:24.000000000 +0200
@@ -1,3 +1,10 @@
+pam-u2f (1.1.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle converse() returning NULL (CVE-2021-31924) (Closes: #987545)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 05 Jun 2021 15:04:24 +0200
+
 pam-u2f (1.1.0-1) unstable; urgency=low
 
   * New upstream version 1.1.0 (2020-09-17)
diff -Nru pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch
--- pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch	1970-01-01 01:00:00.000000000 +0100
+++ pam-u2f-1.1.0/debian/patches/Handle-converse-returning-NULL.patch	2021-06-05 15:04:24.000000000 +0200
@@ -0,0 +1,37 @@
+From: pedro martelletto <pedro@yubico.com>
+Date: Wed, 19 May 2021 09:08:44 +0200
+Subject: Handle converse() returning NULL
+Origin: https://github.com/Yubico/pam-u2f/commit/6059b057dd9b6d0164fc16f9422c0d728f902bb5
+Bug: https://github.com/Yubico/pam-u2f/issues/175
+Bug-Debian: https://bugs.debian.org/987545
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31924
+
+If a PIN is required and converse() returns NULL, abort the
+authentication flow instead of reverting to FIDO2 without PIN.
+Fixes #175.
+---
+ util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/util.c b/util.c
+index 3ea1bd2be7e6..fb07dc70d545 100644
+--- a/util.c
++++ b/util.c
+@@ -1379,8 +1379,13 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
+           goto out;
+         }
+ 
+-        if (pin_verification == FIDO_OPT_TRUE)
++        if (pin_verification == FIDO_OPT_TRUE) {
+           pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
++          if (pin == NULL) {
++            D(cfg->debug_file, "converse() returned NULL");
++            goto out;
++          }
++        }
+         if (user_presence == FIDO_OPT_TRUE ||
+             user_verification == FIDO_OPT_TRUE) {
+           if (cfg->manual == 0 && cfg->cue && !cued) {
+-- 
+2.32.0.rc0
+
diff -Nru pam-u2f-1.1.0/debian/patches/series pam-u2f-1.1.0/debian/patches/series
--- pam-u2f-1.1.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ pam-u2f-1.1.0/debian/patches/series	2021-06-05 15:04:24.000000000 +0200
@@ -0,0 +1 @@
+Handle-converse-returning-NULL.patch
Reply to: