From nobody Tue Aug 9 22:19:02 2022 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SCV6GJvz4YM9b for ; Tue, 9 Aug 2022 22:19:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SCV4LNTz47MD; Tue, 9 Aug 2022 22:19:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660083542; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=me1hIiuc5vZQq/XIdIMiWrA2gTsxU0icVEN6uKJI8/Y=; b=Hg1k/LYreUhFPG/hZJB+3efAudoqTKjO0LVDnHjCzXdKLJS/6xQZGo9Nl8ug8LE1Td/zVm gTPOLVo2a4hXjaWxMLd8L7av7755KG/AydCukvBMeIYIUidBnXsLkg8Y7dWR7GW9m9FYwP cQdfAoVXRre5xfGxQMPZicENHz6YJZOdteA6YONNy2fdv/PrDVf/wfMLzy2dZrdtmBoB5E 09H0UJaTMkx4hbhqF0d3at5AkL0Bl6CCaQIm9b3SY2vO8HoR1vxygu4cTCj30F+G4pxY0L P1LzaFB7VhqgVbERQMbIJdlmtS9b5gOTjkCmaa8Bq+uvP9DiE1mJ8qzYmMFzIA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7717C17160; Tue, 9 Aug 2022 22:19:02 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-22:19.pam_exec Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20220809221902.7717C17160@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:19:02 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660083542; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=me1hIiuc5vZQq/XIdIMiWrA2gTsxU0icVEN6uKJI8/Y=; b=cGPaw8RJIHT6jfYJR62VLj7wwpIeANVW9pkTg9w6Zn+X5dy7hNF1ns2dA7tH4e3ca24pli ZkHWwx5tzjevgXGMhdrFVMnpzZ0cqE9y+ulVrB5v08y0CuyQUnQ18YB5OBZBdPYQ6Ija2X M9QVsZHMUYatfsQDOuHqeVKcwNMCc0H6s/T0/kfdF1PR0kCC6cecInrHEmNtsNykOd/yoP jF9tzOkgtIV75VY2bjjZbXBmbFrf99a2cihZ5tx56ggvvc6cKyYRBhel+sBeIs1IAW88Pk OT/MHfg5pjRYYAXvJWJzWRWlz4NQIPkwsvGX66ZAemAD5N00P21iNMq1OzqulQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660083542; a=rsa-sha256; cv=none; b=jrwpn+FTlv9zm51IhWoGID/QIHGLtM0jZ3yBQZUpkZAKo4iIJP9l5QJQwdMmsNaVeSHVs3 K0sXFTB7qLjUhatU+UG4VExSxRGpG/QHUTQWoysw9lQIhxViboHZGkJpkaQy1agCetOcuW sE/fo4wBwQPTqmI0cZ9cwOOGi0XbZCIxXty4/5yXEu2Ihz+q36EUey73ds9kF8+8aCZZE9 fGnB0AUaxY3ECq5XhVoc/l2x31IRU/dj16CXdHgkO8aB27vNzQxRSi0XX6cP85ZE/JHlYj +a5V53F5BZ/jJvXG5QLyfG7hBosk8Ntf+jWPrHjiInVm5leeyc9L0fY1/h+J8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-22:19.pam_exec Errata Notice The FreeBSD Project Topic: NULL pointer dereference in pam_exec(8) Category: core Module: pam Announced: 2022-08-09 Affects: FreeBSD 13.0 and later Corrected: 2022-06-24 09:09:59 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:01:22 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 20:00:25 UTC (releng/13.0, 13.0-RELEASE-p12) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pam_exec(8) is a pam(3) module for delegating PAM service functions to an external program. When used for authentication, it can pass the user's authentication token to the external program. II. Problem Description When pam_exec(8) is used for authentication with the `expose_authtok' option and an application calls pam_setcred(3), it attempts to expose an already stored authentication token. It is incorrectly assumed that there always is such a token stored, which leads to dereferencing a NULL pointer if this isn't the case. III. Impact It is impossible to reliably use pam_exec(8) for authentication with the `expose_authtok' option, that is necessary to have the external program check credentials. In most scenarios, authentication will fail because of a crash caused by the NULL pointer dereference. IV. Workaround No workaround is available, however systems not using pam_exec(8) for authentication are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-22:19/pam_exec.patch # fetch https://security.FreeBSD.org/patches/EN-22:19/pam_exec.patch.asc # gpg --verify pam_exec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ ea80848e1c06 stable/13-n251487 releng/13.1/ 26db194f3db1 releng/13.1-n250151 releng/13.0/ 277c0c4d2512 releng/13.0-n244802 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz0cACgkQ05eS9J6n 5cJs9Q//WY8wGjWIUpmQ2Z/R9aHp7+MsFXiJ+bmwiYeX7bAWDC5uienqML62ir7y Lqnx6B0Njkn8VmV+6/R6ACCXyNbg+zSXbecOFAkclB3x65CZbOAmgvtUYKCuSdGl EzGTBOoVPIr3aowpMsnc7MULF5WXxsDfb+mqT1MIo5gmsxIIulHwui0AnPzOhmH2 gUeuA5CIsZk+QgJetAg28K0fB4pbKquX82sSiDbfMK+MrXOVugSTHDq1w+01LbW/ YKNSo+kkMw+NmDBD46ibrMDJCVucdwpGISDzhJNALnUudLb8f7cbF/NN1Cd14zxA P8qY7CHmkSUVtREDGcvJ4TYIXtvCuT5iUaWymDkN1URu6MM0Ixa6JkG8yYBMi802 Vg7/I2Z0I6F0oeDISmFGvF1Kic50sWL7pnPTpoNudI8RhRJzvNQpE67oF1IIdsEy Ij8aCRbkhirtlETUFmJw7YOWRVnMs9peahimmHVZ0bVwBG5eWuLb/7mSXtSvnUeD Af7U0Z82GHtb0vyFvc1zJcQa+nvkQGzEPsBTC8PxYdba1ZK5zJ9JW3cuSmJYW6jW Jao/8DvRQa0PrQe4ahy2xqa/ImYTr9RMaIT+x8ArRm4glfMZNDtbLjfgh0ebRGn+ Fhh1DS7URCijOwsK9pM1mX7zaROINyyXpGNhnzd2SJsH9p31VaE= =JZ5O -----END PGP SIGNATURE-----