1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1110326: pam: lack of apparmor break may lead to unexpect system lo

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Sun Aug 3 13:21:44 2025
    Source: pam
    Version: 1.7.0-5
    Severity: grave
    Justification: may breaks the whole system (loggin)
    X-Debbugs-CC: team@release.debian.org
    X-Debbugs-CC: Debian Security Team <security@debian.org>

    Hi,

    Following fix of CVE-2024-10041 pam now use /usr/sbin/unix_chkpwd inconditionnaly

    If someone use apparmor login or user then login will fail, may be some time latter due to expired password or other unix configuration

    see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b391724f547596787c7f77d1fc5f

    I order to be in the safe side could you add Breaks: apparmor-profiles (<< 4.1.0-1~) or may be Pre-Depends:

    apparmor need to be updated before pam.

    I know it is late in the release cycle, but I just detected trying to debug stuff for pam.

    Maybe postone

    Thanks

    rouca


    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmiPRkgACgkQADoaLapB CF+q0A//S1VE1q4TS0bOywHRdThhMPQM4y8D6v28zp4aMaS83RkICNWvYW9Aeu0S Ds62ehhf8I6v+x4O4S3RCuxJe3no8Z1MfYGrjCYyZUnikhI2xPmZW6bCVRLIGzJ7 h4uP5yZLj31RHodLOB5/AHFpN/FVyYeb+GvNbv4+upN1phh724kwrUwcc+XDuioX kNRkUElf3RX7XDFB7kc3sOD4v9w2oH0Ou8OPE5VX/Ng5AJzIvXKdIAVyROVPlb6e jg6uNXtK6G96R9XL+t6L0JG4UB3e3tacpevrFGMNjT9qOps0yogvPMPRu2v6c4FE kIic9gl7IjLlkE2GqPG5xfPPayPeECnOuK29U5IPFTbfYE7HQ2Bl5gTbtAksaNbL SeBump5PTDGp7H+Si26HoC1+C1mm2DU4GCVFLRRPrVQbeXHMju/SN6SD/kurLgWk IYn/4wznT6qUJTnTL00dy0T8s3QJoPA189ooKiDQKRPjCOb9E1OPCOnPaDyJqR9x +3SvpmjZjRmngJldpFMA/AH4+yuMvmpvbUNEIN+aQj3CljLkfJeKoV5zxP0Whahf FHy2+gbI1FUsZo0/U+oZkS1iWBtABs1srIlNWOqD0Gj4i/x3A8va7piju4EVOABw SGv0tC9RSQTktRrSDIAB8pxuVnq/lVh3+DGSQlPrndDOSI+JV04=
    =gfnJ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Salvatore Bonaccorso on Sun Aug 3 14:40:01 2025
    Hi,

    On Sun, Aug 03, 2025 at 02:05:33PM +0200, Salvatore Bonaccorso wrote:
    On Sun, Aug 03, 2025 at 01:22:13PM +0200, Bastien Roucaries wrote:
    Source: pam
    Version: 1.7.0-5
    Severity: grave
    Justification: may breaks the whole system (loggin)
    X-Debbugs-CC: team@release.debian.org
    X-Debbugs-CC: Debian Security Team <security@debian.org>

    Hi,

    Following fix of CVE-2024-10041 pam now use /usr/sbin/unix_chkpwd inconditionnaly

    If someone use apparmor login or user then login will fail, may be some time
    latter due to expired password or other unix configuration

    see https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b391724f547596787c7f77d1fc5f

    I order to be in the safe side could you add Breaks: apparmor-profiles (<< 4.1.0-1~) or may be Pre-Depends:

    apparmor need to be updated before pam.

    I know it is late in the release cycle, but I just detected trying to debug stuff for pam.

    Maybe postone

    Should this be reassigned to src:apparmor instread then and marked
    affecting src:pam?

    Nevermind, the change is already in src:apparmor since 4.1.0~beta5-1
    uploaded to unstable.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)