From nobody Tue Oct 29 21:32:36 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNl90BTkz5bx85 for ; Tue, 29 Oct 2024 21:32:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNl86BdHz4YXq; Tue, 29 Oct 2024 21:32:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237556; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ESBQzxvzkK4gQdAgQ2WYAJnMeGTsBSaNTbKIGTFQGak=; b=RlrTw8+vcPj443vKNrEVNUkJayh7c6F28CW6O1jBRCLh37FTMIFLqUP6EN6dHLYb0fruHh r4iwqbR4Hv1SQyQJqQlDsSgwHzpUZogJDUgvVDG5HPLhbzKz4eE/jPPHSTLSBX/pGQQdvf NsRpmTxpYglaFw4Z73yg0J4/ZPrcLHHbW3oI+hg9GTALR8fQazsHTDp22/uramW62HjFZ6 w5Ii+H8SkKmvOAz+xic6tq+9uGJToGDagt7lpUcrTzytH+TYPnMhzudGZD7IhT3tZVcmyS JLZTn1EAUcuquUwbdJTxEoqmkMmwzE3WTgtkmtsFqs4dc1nDixR8fzqQG8b+vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237556; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ESBQzxvzkK4gQdAgQ2WYAJnMeGTsBSaNTbKIGTFQGak=; b=rIM71iZFiWwJT3utnxZ9KXvmu4memhmOLIylM8kb0ANszHucpedQtqjGAkjTCFoNQkWAl9 1NATOU0jY7C3xieSBmZ894pTXwaJNeyUmrxm3EYQq+7LWCE9FnE6y0+V0yu6E9W8Z5SQCc t+Sc6awKW3LaiokarqMyPVnx/6/lLoOqPvCRsxxC/E8FcpoEtD0zKv5gaQXy9XFejNNHfq jxtWUd16AQmf/mQmukffh1krONBqpWL0TnbNm01fdxBc+qdlVVjlR/i841h9Frpe8fR8bA veAw6PxQ6GznrsbCRiKF3wosIxp3n5v/BSAkU3ByDrU7amZc5ZzkVzA0ibWKyg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237556; a=rsa-sha256; cv=none; b=aIIr0JUVe+Cf8Z4KU92VGq2kYKH3Pj1beGlRTMDEIBaRZQQpp72FrUyxVU+TFdWOH9Xezd PJp9R823puc4rK+KRr9hI5irvRpp//I1VouNi4MdXydmFMgZJpYMit8ESbjgKnxrXNTDca 3P+QATqNJJW/V9tOmcLQcB90YhECzLamZIBp+M8ytcdbxt/AlIsz7W+5H7P1D879kkqWBs Gf+CBoRjT5BsQLWDE/oRf2p+VguNE7W85sSgYJeldRiggf69xtGUEKxivTpz4Cy0UENEfy kaSZqfs+rUAg+2T2iRKADZneUw51jx7rZ8XZ6AP4TviZ2geHO8HiBCqy78gxxg== Received: by freefall.freebsd.org (Postfix, from userid 945) id B9E469155; Tue, 29 Oct 2024 21:32:36 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:17.pam_xdg Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20241029213236.B9E469155@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:32:36 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:17.pam_xdg Errata Notice The FreeBSD Project Topic: XDG runtime directory's file descriptor leak at login Category: core Module: pam_xdg Announced: 2024-10-29 Credits: Olivier Certner Affects: FreeBSD 14.1 Corrected: 2024-09-03 13:28:58 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:57:01 UTC (releng/14.1, 14.1-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pam_xdg(8) is a PAM module which sets up directories and environment variables per the XDG Base Directory Specification[1]. In particular, it creates a per-user directory to contain non-essential runtime files and sets the environment variable XDG_RUNTIME_DIR to point to it. II. Problem Description As a user logs in, if the per user XDG_RUNTIME_DIR directory already exists, a file descriptor to that directory is leaked in the calling process. III. Impact This leaked directory file descriptor is inherited by all descendant processes that do not explicitly close it. In particular, it prevents an administrator from using jexec(8) or launching a new jail via jail(8), as both commands use the jail_attach(2) system call which fails with EPERM if the calling process has an open directory in its file descriptor table, as a security measure to prevent jail escape. This file descriptor leak is normally harmless from a security standpoint as the XDG_RUNTIME_DIR directory's content is usually readable and modifiable only by its owner and its group. IV. Workaround Shell primitives can close the leaking file descriptor before running jexec(8) or jail(8). For sh-like shells, use 'exec X>&-', where X is the number of the leaked file descriptor obtained with 'fstat -p $$' Alternatively, use a login program or shell that closes all inherited file descriptors for root such as sudo(8) or csh(1). Lastly, on machines not running a Freedesktop-based GUI desktop or some that can set XDG_RUNTIME_DIR by itself (e.g., KDE), disable pam_xdg(8) completely by commenting the corresponding lines in '/etc/pam.d/system' and '/etc/pam.d/xdm'. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is advised following the upgrade, or a logout/re-login of your jail working sessions if practical. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is advised following the upgrade, or a logout/re-login of your jail working sessions if practical. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch # fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch.asc # gpg --verify pam_xdg.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . A reboot is advised following the upgrade, or a logout/re-login of your jail working sessions if practical. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9e8d504bb5a1 stable/14-n268630 releng/14.1/ accf8cee6dd0 releng/14.1-n267726 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References [1] [2] The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCMACgkQbljekB8A Gu8//xAAtTW3AJdvvbA58EUdBkz1mb60dhJ0DCBRiE+4kTApym8+PNvzRAib4i5R RiZGx/axXvUmP1qVKCgpYjaf3D/vrbBEk4bqrCcgZlPVEWbSm1jrLzFjZNr7vYUn AxCaF4RpzkAAku6qV8BuQal2cVpCRt0Ad5CkFArdp8KqeVyZIIf3yM2UQn4nzrxf ycZF1GWzvh/izIK2zmaxFVNzYToz4l6qj0Y5t0Mi4OhSq3J63gHv4UhH+/Fn0mnT fkd90lCrAQIgu6BZbg9FBJn76y7itSuyIu2MeZdklXnnqTBgFWh+7Wd+79Fq7iHT dAuQo4znIJAw5Z5J4rAAm8aqP4joozJoI3xJhP8U4qpj5FYOEn/yJiZmnETUwyh5 AcNuiRrjJKieskmr0yruGbwVS+dtkNWQcVSgfUWVL77vv/t9ui7c8Ezjkn5amicP 17m4NmO+HYW/X5ST7FqBx7nrT8c5wMzsiHCtCEpz53oeWUvnPLGz9TKCXUTAbMUU IG99B+1pvA4IFOjZ1xO2xKowueekqQLOTavby/tV0aatgkAFlWZKXIDYMV/XEVdL /eHij8kT2hoooQdhxuj8jvpKKFIcPqiLF5RTDkhNyXOKZvXSXiC2bgAWLa+pQi8/ PpKIeWH29fJpQ2hF/b+fKzF7NjYgCs1ZzGrLWC+ziMnthNzzR9s= =yn4N -----END PGP SIGNATURE-----