SUSE/OpenSUSE: Tumbleweed – Review of the week; security fixes

posted by Roy Schestowitz on Oct 05, 2024,
updated Oct 05, 2024

• Dominique Leuenberger ☛ Tumbleweed – Review of the week 2024/40

  Dear Tumbleweed users and hackers,

  We released six snapshots during 2024/40 (0926, 0927, 0929, 0930, 1001, and 1002). Based on personal feelings, the week seemed ‘mixed’ – Requests came in, and requests went out. And a few things seem to hang there for longer again.

  Let’s first look at what you have received during the last week, starting on the positive side of things: [...]

• oath-toolkit: privilege escalation in pam_oath.so (CVE-2024-47191)

  oath-toolkit contains libraries and utilities for managing one-time password (OTP) authentication e.g. as a second factor to password authentication. Fellow SUSE engineer Fabian Vogt approached our Security Team about the project’s PAM module. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users’ home directories. Since PAM stacks typically run as root, this can easily cause security issues.

Update

LWN:

• oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)

  The SUSE Security Team Blog has a detailed report on its discovery of a privilege escalation in the oath-toolkit, which provides libraries and utilities for managing one-time password (OTP) authentication.

  Fellow SUSE engineer Fabian Vogt approached our Security Team about the project's PAM module. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users' home directories. Since PAM stacks typically run as root, this can easily cause security issues.