]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit
projects / thirdparty / openembedded / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 33050bf) | patch
libpam: fix CVE-2024-10041
authorDivya Chellam <divya.chellam@windriver.com>
Mon, 9 Dec 2024 13:18:26 +0000 (13:18 +0000)
committerSteve Sakoman <steve@sakoman.com>
Mon, 9 Dec 2024 15:32:54 +0000 (07:32 -0800)
commit0e76d9bf150ac3bf96081cc1bda07e03e16fe994
treeefecc00c386cb09daa8f9a407fee75060f38caa2tree | snapshot
parent33050bf82add43409675122a8f29acbcda4e8439commit | diff
libpam: fix CVE-2024-10041

A vulnerability was found in PAM. The secret information is
stored in memory, where the attacker can trigger the victim
program to execute by sending characters to its standard
input (stdin). As this occurs, the attacker can train the
branch predictor to execute an ROP chain speculatively.
This flaw could result in leaked passwords, such as those
found in /etc/shadow while performing authentications.

References:
https://security-tracker.debian.org/tracker/CVE-2024-10041

Upstream patches:
https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-extended/pam/libpam/CVE-2024-10041.patch [new file with mode: 0644] blob
meta/recipes-extended/pam/libpam_1.5.3.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core