| Message ID | 20251021135907.17684-1-anders.heimer@est.tech |
|---|---|
| State | New |
| Headers | show |
| Series | libpam: mark CVE-2025-6018 as not applicable | expand |
NVD shows following CPE for this CVE: cpe:2.3:a:suse:pam-config:1.1.8-24.71.1:*:*:*:*:*:*:* So we don't need to ignore it as it won't show up in Yocto CVE reports. Next time I'd search for obsolete CVE_STATUS entries I'd erase this commit. What's the reason for this patch? What would be worth investigating is CVE-2024-10041 which is reported for libpam recipe. Unfortunately not reported on autobuilder as it's not using systemd+pam distro config. Peter > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Anders Heimer > Sent: Tuesday, October 21, 2025 15:59 > To: openembedded-core@lists.openembedded.org > Cc: Anders Heimer <anders.heimer@est.tech> > Subject: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable > > CVE-2025-6018 is a local privilege escalation in PAM that requires > `user_readenv=1` to be enabled in the PAM configuration. The default > configuration does not enable reading user environment files (user_readenv > is 0 by default). Hence this vulnerability cannot be exploited using the > default configuration. > > Signed-off-by: Anders Heimer <anders.heimer@est.tech> > --- > meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes- > extended/pam/libpam_1.7.1.bb > index 8d9ea27028..42b50a8c22 100644 > --- a/meta/recipes-extended/pam/libpam_1.7.1.bb > +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb > @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux- > PAM-${PV}.tar.xz \ > > SRC_URI[sha256sum] = > "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0" > > +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config > does not use user_readenv=1" > + > DEPENDS = "bison-native flex-native libxml2-native virtual/crypt" > > EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security" > > base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9 > -- > 2.34.1
On 10/21/25 16:15, Peter Marko via lists.openembedded.org wrote: > NVD shows following CPE for this CVE: > cpe:2.3:a:suse:pam-config:1.1.8-24.71.1:*:*:*:*:*:*:* > > So we don't need to ignore it as it won't show up in Yocto CVE reports. > Next time I'd search for obsolete CVE_STATUS entries I'd erase this commit. > What's the reason for this patch? Thanks for the clarification. I agree, CVE-2025-6018 doesn’t hit Yocto’s libpam. My patch came from our internal scanner flagging the CVE; it doesn’t use Yocto’s product mapping and raised a false positive. Br, Anders > > What would be worth investigating is CVE-2024-10041 which is reported for libpam recipe. > Unfortunately not reported on autobuilder as it's not using systemd+pam distro config. > > Peter > >> -----Original Message----- >> From: openembedded-core@lists.openembedded.org <openembedded- >> core@lists.openembedded.org> On Behalf Of Anders Heimer >> Sent: Tuesday, October 21, 2025 15:59 >> To: openembedded-core@lists.openembedded.org >> Cc: Anders Heimer <anders.heimer@est.tech> >> Subject: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable >> >> CVE-2025-6018 is a local privilege escalation in PAM that requires >> `user_readenv=1` to be enabled in the PAM configuration. The default >> configuration does not enable reading user environment files (user_readenv >> is 0 by default). Hence this vulnerability cannot be exploited using the >> default configuration. >> >> Signed-off-by: Anders Heimer <anders.heimer@est.tech> >> --- >> meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes- >> extended/pam/libpam_1.7.1.bb >> index 8d9ea27028..42b50a8c22 100644 >> --- a/meta/recipes-extended/pam/libpam_1.7.1.bb >> +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb >> @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux- >> PAM-${PV}.tar.xz \ >> >> SRC_URI[sha256sum] = >> "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0" >> >> +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config >> does not use user_readenv=1" >> + >> DEPENDS = "bison-native flex-native libxml2-native virtual/crypt" >> >> EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security" >> >> base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9 >> -- >> 2.34.1 > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#225151): https://lists.openembedded.org/g/openembedded-core/message/225151 > Mute This Topic: https://lists.openembedded.org/mt/115873392/7170510 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [anders.heimer@runbox.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-extended/pam/libpam_1.7.1.bb index 8d9ea27028..42b50a8c22 100644 --- a/meta/recipes-extended/pam/libpam_1.7.1.bb +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \ SRC_URI[sha256sum] = "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0" +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config does not use user_readenv=1" + DEPENDS = "bison-native flex-native libxml2-native virtual/crypt" EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security"
CVE-2025-6018 is a local privilege escalation in PAM that requires `user_readenv=1` to be enabled in the PAM configuration. The default configuration does not enable reading user environment files (user_readenv is 0 by default). Hence this vulnerability cannot be exploited using the default configuration. Signed-off-by: Anders Heimer <anders.heimer@est.tech> --- meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++ 1 file changed, 2 insertions(+) base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9