Bug 1179166 - (CVE-2020-27780) VUL-0: CVE-2020-27780: pam: bypass of password base authentication if user does not exist and root password is blank
(CVE-2020-27780)
VUL-0: CVE-2020-27780: pam: bypass of password base authentication if user do...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
Other Other
: P3 - Medium : Critical (vote)
: ---
Assigned To: Josef Möllers
E-mail List
https://smash.suse.de/issue/272203/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-24 17:06 UTC by Marcus Meissner
Modified: 2020-11-27 10:10 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-11-24 17:06:52 UTC
https://github.com/linux-pam/linux-pam/issues/284

https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb

This seems to allow bypass of authentication.

(Not fully clear on the circumstances that allow this.)
Comment 1 Marcus Meissner 2020-11-24 17:11:27 UTC
https://github.com/linux-pam/linux-pam/commit/28b8c7045ac8ea4ea080bce02a2df9e3b9e98f06

This only affects PAM 1.5.0, older versions are not affected.
Comment 2 Thorsten Kukuk 2020-11-25 12:42:55 UTC
(In reply to Marcus Meissner from comment #0)

> (Not fully clear on the circumstances that allow this.)

Only if root as no password and if you allow root to login with no password (so nullok option is used).

Nothing of this should be anywhere used or the default.
Comment 3 Thorsten Kukuk 2020-11-27 09:43:50 UTC
I updated the package to version 1.5.1
Comment 4 OBSbugzilla Bot 2020-11-27 10:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1179166) was mentioned in
https://build.opensuse.org/request/show/851278 Factory / pam