1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1110326: pam: lack of apparmor break may lead to unexpect system lo

    From Bastien Roucaries@21:1/5 to All on Sun Aug 3 14:09:39 2025
    To: [email protected] (Salvatore Bonaccorso)

    Le dimanche 3 août 2025, 14:05:33 heure d’été d’Europe centrale Salvatore
    Bonaccorso a écrit :
    On Sun, Aug 03, 2025 at 01:22:13PM +0200, Bastien Roucaries wrote:
    Source: pam
    Version: 1.7.0-5
    Severity: grave
    Justification: may breaks the whole system (loggin)
    X-Debbugs-CC: [email protected]
    X-Debbugs-CC: Debian Security Team <[email protected]>

    Hi,

    Following fix of CVE-2024-10041 pam now use /usr/sbin/unix_chkpwd inconditionnaly

    If someone use apparmor login or user then login will fail, may be some time latter due to expired password or other unix configuration

    see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b3917 24f547596787c7f77d1fc5f

    I order to be in the safe side could you add Breaks: apparmor-profiles (<< 4.1.0-1~) or may be Pre-Depends:

    apparmor need to be updated before pam.

    I know it is late in the release cycle, but I just detected trying to
    debug stuff for pam.

    Maybe postone

    Should this be reassigned to src:apparmor instread then and marked
    affecting src:pam?

    Apparmor was fixed in 4.1.0-1 the problem is the upgrade path bookworm to trixe. pam need to be upgraded after apparmor and moreover in order to be in the safe side I think we must release a 3 version (bookworm) including this profiles

    rouca

    Regards,
    Salvatore


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmiPUYMACgkQADoaLapB CF/rMw/9FJ2eDVS0in36sZMnjzLl98B1EeFpZsY04MmemFrK+jPo5bfCKPFyBsS0 ds8Pyd+R4pPZ1P3LFntTH+GIZLqTtyuBV982ogApjQ06tdkry8O1Ik0ziDogokQS ERKQZOB9Xj7f9ZaDS6jQ3Uktq9qkCXEZT8iXRVC7Bii3wqsLfbJG+0SyrqqzOPle tXx/BxcGg+qUOErVi6N0hjriA9UFHWDWZRNaAtLseFucMm/TssJDY7piSRJgfEX2 jx5XUFZ6298LcB6Ado7qYgsfkL84bAMkWC+rwGecdrmNThipz34vr3QZypIN5mq2 WZiqSYVpPXRcISNEClKUdaVDqD8q7Q/o4ATXeOfv5VSmBA97o+HmKKae9CNHGGG0 ITFG1Y5/vbHL2lVQQDbJhtCdXIbAnk6WfozyW5ZVqobXXonXeYVUyZazjSsyuxQe B1ULKZBA9yGtojNrk4s4YTfY3Yd6S+ObpbA9RXucNdySRkX41qpTzZX6+BZ9vy+b PV392y8y902iVn9trjWJYohX1Wrcxi+/jFbFCCQotmacsSyB0J+yqZC8j42EfeRG tuKHyQkSdgH/aQXivmCPhXqHZXVW5yG7O5kCt8cwsyOKEOag7PVz6SYXPvvHOxlI OTLgRKZmYQXkO6iBAT1VW+zNngIzTJ8oLWlMyiHaHCs/2QU6/bk=
    =NyQf
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Bastien Roucaries on Sun Aug 3 14:40:02 2025
    On Sun, Aug 03, 2025 at 01:22:13PM +0200, Bastien Roucaries wrote:
    Source: pam
    Version: 1.7.0-5
    Severity: grave
    Justification: may breaks the whole system (loggin)
    X-Debbugs-CC: [email protected]
    X-Debbugs-CC: Debian Security Team <[email protected]>

    Hi,

    Following fix of CVE-2024-10041 pam now use /usr/sbin/unix_chkpwd inconditionnaly

    If someone use apparmor login or user then login will fail, may be some time latter due to expired password or other unix configuration

    see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b391724f547596787c7f77d1fc5f

    I order to be in the safe side could you add Breaks: apparmor-profiles (<< 4.1.0-1~) or may be Pre-Depends:

    apparmor need to be updated before pam.

    I know it is late in the release cycle, but I just detected trying to debug stuff for pam.

    Maybe postone

    Should this be reassigned to src:apparmor instread then and marked
    affecting src:pam?

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)