SUSE/OpenSUSE: Tumbleweed – Review of the week; security fixes
-
Dominique Leuenberger ☛ Tumbleweed – Review of the week 2024/40
Dear Tumbleweed users and hackers,
We released six snapshots during 2024/40 (0926, 0927, 0929, 0930, 1001, and 1002). Based on personal feelings, the week seemed ‘mixed’ – Requests came in, and requests went out. And a few things seem to hang there for longer again.
Let’s first look at what you have received during the last week, starting on the positive side of things: [...]
-
oath-toolkit: privilege escalation in pam_oath.so (CVE-2024-47191)
oath-toolkit contains libraries and utilities for managing one-time password (OTP) authentication e.g. as a second factor to password authentication. Fellow SUSE engineer Fabian Vogt approached our Security Team about the project’s PAM module. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users’ home directories. Since PAM stacks typically run as root, this can easily cause security issues.