]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit
projects / thirdparty / openembedded / openembedded-core-contrib.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3079d56) | patch
libpam: fix CVE-2024-10041
authorDivya Chellam <divya.chellam@windriver.com>
Mon, 9 Dec 2024 13:26:07 +0000 (13:26 +0000)
committerSteve Sakoman <steve@sakoman.com>
Mon, 9 Dec 2024 16:16:47 +0000 (08:16 -0800)
commit3422c2533caaa2664944315580c52a2272815305
treeacd9529f57dc3893265815242725c92b4c5f228atree | snapshot
parent3079d562b4df69ab0ac20ec8d13a4240ce0a3514commit | diff
libpam: fix CVE-2024-10041

A vulnerability was found in PAM. The secret information is
stored in memory, where the attacker can trigger the victim
program to execute by sending characters to its standard
input (stdin). As this occurs, the attacker can train the
branch predictor to execute an ROP chain speculatively.
This flaw could result in leaked passwords, such as those
found in /etc/shadow while performing authentications.

References:
https://security-tracker.debian.org/tracker/CVE-2024-10041

Upstream patches:
https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
meta/recipes-extended/pam/libpam/CVE-2024-10041.patch [new file with mode: 0644] blob
meta/recipes-extended/pam/libpam_1.5.2.bb diff | blob | blame | history
Mirror of git://git.openembedded.org/openembedded-core-contrib