Version in base suite: 0.6.12-1 Base version: pam-pkcs11_0.6.12-1 Target version: pam-pkcs11_0.6.12-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pam-pkcs11/pam-pkcs11_0.6.12-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pam-pkcs11/pam-pkcs11_0.6.12-1+deb12u1.dsc changelog | 11 + patches/Fixed-possible-authentication-bypass-Don-t-return-PA.patch | 99 ++++++++++ patches/Update-configuration-files-for-the-CVE-2025-24032-fi.patch | 62 ++++++ patches/fixed-possible-authentication-bypass-Use-signatures-.patch | 97 +++++++++ patches/series | 3 5 files changed, 272 insertions(+) diff -Nru pam-pkcs11-0.6.12/debian/changelog pam-pkcs11-0.6.12/debian/changelog --- pam-pkcs11-0.6.12/debian/changelog 2023-02-04 21:30:23.000000000 +0000 +++ pam-pkcs11-0.6.12/debian/changelog 2025-02-10 20:06:21.000000000 +0000 @@ -1,3 +1,14 @@ +pam-pkcs11 (0.6.12-1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed possible authentication bypass: Don't return PAM_IGNORE + (CVE-2025-24531) (Closes: #1095402) + * fixed possible authentication bypass: Use signatures to verify + authentication by default (CVE-2025-24032) + * Update configuration files for the CVE-2025-24032 fix + + -- Salvatore Bonaccorso Mon, 10 Feb 2025 21:06:21 +0100 + pam-pkcs11 (0.6.12-1) unstable; urgency=medium [ Debian Janitor ] diff -Nru pam-pkcs11-0.6.12/debian/patches/Fixed-possible-authentication-bypass-Don-t-return-PA.patch pam-pkcs11-0.6.12/debian/patches/Fixed-possible-authentication-bypass-Don-t-return-PA.patch --- pam-pkcs11-0.6.12/debian/patches/Fixed-possible-authentication-bypass-Don-t-return-PA.patch 1970-01-01 00:00:00.000000000 +0000 +++ pam-pkcs11-0.6.12/debian/patches/Fixed-possible-authentication-bypass-Don-t-return-PA.patch 2025-02-10 20:06:21.000000000 +0000 @@ -0,0 +1,99 @@ +From 2ecba68d404c3112546a9e802e3776b9f6c50a6a Mon Sep 17 00:00:00 2001 +From: Frank Morgner +Date: Fri, 6 Dec 2024 03:08:38 +0100 +Subject: [PATCH] Fixed possible authentication bypass: Don't return PAM_IGNORE + +Starting with bac6cf8e0b242e508e8b715e7f78d52f1227840a (released with +pam_pkcs11-0.6.12), return codes defaulted to PAM_IGNORE in most cases +where authentication was not possible. This change has not been +anticipated in PAM configurations and may lead to authentication +bypasses. If pam_pkcs11 was configured as the only module which could +provide authentication and would silently fail with PAM_IGNORE, then +this return code may be transformed to PAM_SUCCESS by subsequent PAM +modules that don't actually perform authentication. This change avoids +this situation by *not* returning PAM_IGNORE by default as done in +0.6.11 and before. + +If pam_pkcs11 is the only module providing authentication in the PAM +stack, then the following PAM configuration could be used to avoid this +situation as well: + +auth [success=ok default=bad] pam_pkcs11.so wait_for_card card_only + +In the configuration above, PAM_IGNORE will lead to an authentication +failure even for an unpatched pam_pkcs11-0.6.12 (note the missing +`ignore=ignore`). + +Thanks to Matthias Gerstner (@mgerstner) and the SUSE Linux team for +reporting this problem providing analysis and the workaround +configuration of a possibly vulnerable PAM stack. +--- + src/pam_pkcs11/pam_pkcs11.c | 35 +++++++---------------------------- + 1 file changed, 7 insertions(+), 28 deletions(-) + +--- a/src/pam_pkcs11/pam_pkcs11.c ++++ b/src/pam_pkcs11/pam_pkcs11.c +@@ -281,13 +281,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + } + } + +- if (!configuration->card_only || !login_token_name) { +- /* Allow to pass to the next module if the auth isn't +- restricted to card only. */ +- pkcs11_pam_fail = PAM_IGNORE; +- } else { +- pkcs11_pam_fail = PAM_CRED_INSUFFICIENT; +- } ++ pkcs11_pam_fail = PAM_CRED_INSUFFICIENT; + + /* fail if we are using a remote server + * local login: DISPLAY=:0 +@@ -366,13 +360,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + } + + if (rv != 0) { +- /* No token found */ +- if (!configuration->card_only) { +- /* If the login isn't restricted to card-only, then proceed +- to the next auth. module quietly. */ +- release_pkcs11_module(ph); +- goto exit_ignore; +- } ++ /* No token found */ + + ERR("no suitable token available"); + if (!configuration->quiet) { +@@ -402,16 +390,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + if (rv != 0) { + release_pkcs11_module(ph); + /* Still no card */ +- if (pkcs11_pam_fail != PAM_IGNORE) { +- if (!configuration->quiet) { +- pam_prompt(pamh, PAM_ERROR_MSG, +- NULL, _("Error 2308: No smartcard found")); +- sleep(configuration->err_display_time); +- } +- } else { +- pam_prompt(pamh, PAM_TEXT_INFO, +- NULL, _("No smartcard found")); +- goto exit_ignore; ++ if (!configuration->quiet) { ++ pam_prompt(pamh, PAM_ERROR_MSG, ++ NULL, _("Error 2308: No smart card found.")); ++ sleep(configuration->err_display_time); + } + return pkcs11_pam_fail; + } +@@ -797,11 +779,7 @@ auth_failed: + cleanse( password, strlen(password) ); + free( password ); + } +- +- if (PAM_IGNORE == pkcs11_pam_fail) +- goto exit_ignore; +- else +- return pkcs11_pam_fail; ++ return pkcs11_pam_fail; + + exit_ignore: + pam_prompt( pamh, PAM_TEXT_INFO, NULL, diff -Nru pam-pkcs11-0.6.12/debian/patches/Update-configuration-files-for-the-CVE-2025-24032-fi.patch pam-pkcs11-0.6.12/debian/patches/Update-configuration-files-for-the-CVE-2025-24032-fi.patch --- pam-pkcs11-0.6.12/debian/patches/Update-configuration-files-for-the-CVE-2025-24032-fi.patch 1970-01-01 00:00:00.000000000 +0000 +++ pam-pkcs11-0.6.12/debian/patches/Update-configuration-files-for-the-CVE-2025-24032-fi.patch 2025-02-10 20:06:21.000000000 +0000 @@ -0,0 +1,62 @@ +From d9530167966a77115db6e885d459382a2e52ee9e Mon Sep 17 00:00:00 2001 +From: Paul Wolneykien +Date: Tue, 4 Feb 2025 20:07:59 +0300 +Subject: [PATCH] Update configuration files for the CVE-2025-24032 fix + +Added a comment on the "no_signature" value. Also, use "signature" +instead of "none". Added a note, that "none" doesn't mean +"no_signature". +--- + etc/pam_pkcs11.conf.example.in | 8 +++++--- + src/pam_pkcs11/pam_config.c | 1 - + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/etc/pam_pkcs11.conf.example.in b/etc/pam_pkcs11.conf.example.in +index 6189932e95c8..7ca45b781601 100644 +--- a/etc/pam_pkcs11.conf.example.in ++++ b/etc/pam_pkcs11.conf.example.in +@@ -92,7 +92,7 @@ pam_pkcs11 { + support_threads = false; + + # Sets the Certificate verification policy. +- # "none" Performs no verification ++ # "none" Performs no verification, except (!) the signature + # "ca" Does CA check + # "crl_online" Downloads the CRL form the location given by the + # CRL distribution point extension of the certificate +@@ -101,8 +101,10 @@ pam_pkcs11 { + # tries to download the CRL from a possibly given CRL + # distribution point and if this fails, uses the local + # CRLs +- # "signature" Does also a signature check to ensure that private ++ # "signature" Does a signature check to ensure that private + # and public key matches ++ # "no_signature" The only value that disables signature check. ++ # + # You can use a combination of ca,crl, and signature flags, or just + # use "none". + cert_policy = ca,signature; +@@ -138,7 +140,7 @@ pam_pkcs11 { + support_threads = false; + ca_dir = /etc/pam_pkcs11/cacerts; + crl_dir = /etc/pam_pkcs11/crls; +- cert_policy = none; ++ cert_policy = signature; + } + + # Which mappers ( Cert to login ) to use? +diff --git a/src/pam_pkcs11/pam_config.c b/src/pam_pkcs11/pam_config.c +index f5243caab59f..6590478d5133 100644 +--- a/src/pam_pkcs11/pam_config.c ++++ b/src/pam_pkcs11/pam_config.c +@@ -195,7 +195,6 @@ static void parse_config_file(void) { + } else if ( !strcmp(policy_list->data,"signature") ) { + // ignore this setting for legacy reasons + } else if ( !strcmp(policy_list->data,"no_signature") ) { +- // ignore this setting for legacy reasons + configuration.policy.no_signature_policy=1; + } else { + DBG1("Invalid CRL policy: %s",policy_list->data); +-- +2.47.2 + diff -Nru pam-pkcs11-0.6.12/debian/patches/fixed-possible-authentication-bypass-Use-signatures-.patch pam-pkcs11-0.6.12/debian/patches/fixed-possible-authentication-bypass-Use-signatures-.patch --- pam-pkcs11-0.6.12/debian/patches/fixed-possible-authentication-bypass-Use-signatures-.patch 1970-01-01 00:00:00.000000000 +0000 +++ pam-pkcs11-0.6.12/debian/patches/fixed-possible-authentication-bypass-Use-signatures-.patch 2025-02-10 20:06:21.000000000 +0000 @@ -0,0 +1,97 @@ +From b665b287ff955bbbd9539252ff9f9e2754c3fb48 Mon Sep 17 00:00:00 2001 +From: Frank Morgner +Date: Fri, 6 Dec 2024 04:39:04 +0100 +Subject: [PATCH] fixed possible authentication bypass: Use signatures to + verify authentication by default + +If cert_policy is set to none (the default value), then pam_pkcs11 will +only check if the user is capable of logging into the token. An attacker +may create a different token with the user's public data (e.g. the +user's certificate) and a PIN known to the attacker. If no signature +with the private key is required, then the attacker may now login as +user with that created token. + +This change, by default, uses the private key to crate a signature. A +new policy, `no_signature` is introduced if the module should really +*not* validate the key's signature +--- + src/common/cert_vfy.h | 2 +- + src/pam_pkcs11/pam_config.c | 16 +++++++++++----- + src/pam_pkcs11/pam_pkcs11.c | 2 +- + 3 files changed, 13 insertions(+), 7 deletions(-) + +--- a/src/common/cert_vfy.h ++++ b/src/common/cert_vfy.h +@@ -48,7 +48,7 @@ typedef enum { + struct cert_policy_st { + int ca_policy; + int crl_policy; +- int signature_policy; ++ int no_signature_policy; + const char *ca_dir; + const char *crl_dir; + const char *nss_dir; +--- a/src/pam_pkcs11/pam_config.c ++++ b/src/pam_pkcs11/pam_config.c +@@ -87,7 +87,7 @@ static void display_config (void) { + DBG1("support_threads %d",configuration.support_threads); + DBG1("ca_policy %d",configuration.policy.ca_policy); + DBG1("crl_policy %d",configuration.policy.crl_policy); +- DBG1("signature_policy %d",configuration.policy.signature_policy); ++ DBG1("no_signature_policy %d",configuration.policy.no_signature_policy); + DBG1("ocsp_policy %d",configuration.policy.ocsp_policy); + DBG1("err_display_time %d", configuration.err_display_time); + } +@@ -185,7 +185,7 @@ static void parse_config_file(void) { + configuration.policy.crl_policy=CRLP_NONE; + configuration.policy.ocsp_policy=OCSP_NONE; + configuration.policy.ca_policy=0; +- configuration.policy.signature_policy=0; ++ configuration.policy.no_signature_policy=0; + break; + } else if ( !strcmp(policy_list->data,"crl_auto") ) { + configuration.policy.crl_policy=CRLP_AUTO; +@@ -198,7 +198,10 @@ static void parse_config_file(void) { + } else if ( !strcmp(policy_list->data,"ca") ) { + configuration.policy.ca_policy=1; + } else if ( !strcmp(policy_list->data,"signature") ) { +- configuration.policy.signature_policy=1; ++ // ignore this setting for legacy reasons ++ } else if ( !strcmp(policy_list->data,"no_signature") ) { ++ // ignore this setting for legacy reasons ++ configuration.policy.no_signature_policy=1; + } else { + DBG1("Invalid CRL policy: %s",policy_list->data); + } +@@ -326,7 +329,7 @@ struct configuration_st *pk_configure( i + if (strstr(argv[i],"none")) { + configuration.policy.crl_policy=CRLP_NONE; + configuration.policy.ca_policy=0; +- configuration.policy.signature_policy=0; ++ configuration.policy.no_signature_policy=0; + configuration.policy.ocsp_policy=OCSP_NONE; + } + if (strstr(argv[i],"crl_online")) { +@@ -345,7 +348,10 @@ struct configuration_st *pk_configure( i + configuration.policy.ca_policy=1; + } + if (strstr(argv[i],"signature")) { +- configuration.policy.signature_policy=1; ++ // ignore this setting for legacy reasons ++ } ++ if (strstr(argv[i],"no_signature")) { ++ configuration.policy.no_signature_policy=1; + } + continue; + } +--- a/src/pam_pkcs11/pam_pkcs11.c ++++ b/src/pam_pkcs11/pam_pkcs11.c +@@ -618,7 +618,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_h + + + /* if signature check is enforced, generate random data, sign and verify */ +- if (configuration->policy.signature_policy) { ++ if (!configuration->policy.no_signature_policy) { + pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature")); + + diff -Nru pam-pkcs11-0.6.12/debian/patches/series pam-pkcs11-0.6.12/debian/patches/series --- pam-pkcs11-0.6.12/debian/patches/series 2023-02-04 21:30:23.000000000 +0000 +++ pam-pkcs11-0.6.12/debian/patches/series 2025-02-10 20:06:21.000000000 +0000 @@ -1 +1,4 @@ 1_pam.d_ignore_no_card.example +Fixed-possible-authentication-bypass-Don-t-return-PA.patch +fixed-possible-authentication-bypass-Use-signatures-.patch +Update-configuration-files-for-the-CVE-2025-24032-fi.patch