| Message ID | 20251021135907.17684-1-anders.heimer@est.tech |
|---|---|
| State | New |
| Headers | show |
| Series | libpam: mark CVE-2025-6018 as not applicable | expand |
NVD shows following CPE for this CVE: cpe:2.3:a:suse:pam-config:1.1.8-24.71.1:*:*:*:*:*:*:* So we don't need to ignore it as it won't show up in Yocto CVE reports. Next time I'd search for obsolete CVE_STATUS entries I'd erase this commit. What's the reason for this patch? What would be worth investigating is CVE-2024-10041 which is reported for libpam recipe. Unfortunately not reported on autobuilder as it's not using systemd+pam distro config. Peter > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Anders Heimer > Sent: Tuesday, October 21, 2025 15:59 > To: openembedded-core@lists.openembedded.org > Cc: Anders Heimer <anders.heimer@est.tech> > Subject: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable > > CVE-2025-6018 is a local privilege escalation in PAM that requires > `user_readenv=1` to be enabled in the PAM configuration. The default > configuration does not enable reading user environment files (user_readenv > is 0 by default). Hence this vulnerability cannot be exploited using the > default configuration. > > Signed-off-by: Anders Heimer <anders.heimer@est.tech> > --- > meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes- > extended/pam/libpam_1.7.1.bb > index 8d9ea27028..42b50a8c22 100644 > --- a/meta/recipes-extended/pam/libpam_1.7.1.bb > +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb > @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux- > PAM-${PV}.tar.xz \ > > SRC_URI[sha256sum] = > "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0" > > +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config > does not use user_readenv=1" > + > DEPENDS = "bison-native flex-native libxml2-native virtual/crypt" > > EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security" > > base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9 > -- > 2.34.1
diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-extended/pam/libpam_1.7.1.bb index 8d9ea27028..42b50a8c22 100644 --- a/meta/recipes-extended/pam/libpam_1.7.1.bb +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \ SRC_URI[sha256sum] = "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0" +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config does not use user_readenv=1" + DEPENDS = "bison-native flex-native libxml2-native virtual/crypt" EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security"
CVE-2025-6018 is a local privilege escalation in PAM that requires `user_readenv=1` to be enabled in the PAM configuration. The default configuration does not enable reading user environment files (user_readenv is 0 by default). Hence this vulnerability cannot be exploited using the default configuration. Signed-off-by: Anders Heimer <anders.heimer@est.tech> --- meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++ 1 file changed, 2 insertions(+) base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9