[OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable
@ 2025-10-21 13:59 Anders Heimer
  2025-10-21 14:15 ` Marko, Peter
  0 siblings, 1 reply; 3+ messages in thread
From: Anders Heimer @ 2025-10-21 13:59 UTC (permalink / raw)
  To: openembedded-core; +Cc: Anders Heimer

CVE-2025-6018 is a local privilege escalation in PAM that requires
`user_readenv=1` to be enabled in the PAM configuration. The default
configuration does not enable reading user environment files (user_readenv
is 0 by default). Hence this vulnerability cannot be exploited using the
default configuration.

Signed-off-by: Anders Heimer <anders.heimer@est.tech>
---
 meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-extended/pam/libpam_1.7.1.bb
index 8d9ea27028..42b50a8c22 100644
--- a/meta/recipes-extended/pam/libpam_1.7.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.7.1.bb
@@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
 
 SRC_URI[sha256sum] = "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0"
 
+CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config does not use user_readenv=1"
+
 DEPENDS = "bison-native flex-native libxml2-native virtual/crypt"
 
 EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security"

base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable
  2025-10-21 13:59 [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable Anders Heimer
@ 2025-10-21 14:15 ` Marko, Peter
  2025-10-22 14:46   ` Anders Heimer
  0 siblings, 1 reply; 3+ messages in thread
From: Marko, Peter @ 2025-10-21 14:15 UTC (permalink / raw)
  To: Anders Heimer, openembedded-core@lists.openembedded.org

NVD shows following CPE for this CVE:
cpe:2.3:a:suse:pam-config:1.1.8-24.71.1:*:*:*:*:*:*:*

So we don't need to ignore it as it won't show up in Yocto CVE reports.
Next time I'd search for obsolete CVE_STATUS entries I'd erase this commit.
What's the reason for this patch?

What would be worth investigating is CVE-2024-10041 which is reported for libpam recipe.
Unfortunately not reported on autobuilder as it's not using systemd+pam distro config.

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Anders Heimer
> Sent: Tuesday, October 21, 2025 15:59
> To: openembedded-core@lists.openembedded.org
> Cc: Anders Heimer <anders.heimer@est.tech>
> Subject: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable
> 
> CVE-2025-6018 is a local privilege escalation in PAM that requires
> `user_readenv=1` to be enabled in the PAM configuration. The default
> configuration does not enable reading user environment files (user_readenv
> is 0 by default). Hence this vulnerability cannot be exploited using the
> default configuration.
> 
> Signed-off-by: Anders Heimer <anders.heimer@est.tech>
> ---
>  meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-
> extended/pam/libpam_1.7.1.bb
> index 8d9ea27028..42b50a8c22 100644
> --- a/meta/recipes-extended/pam/libpam_1.7.1.bb
> +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb
> @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-
> PAM-${PV}.tar.xz \
> 
>  SRC_URI[sha256sum] =
> "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0"
> 
> +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config
> does not use user_readenv=1"
> +
>  DEPENDS = "bison-native flex-native libxml2-native virtual/crypt"
> 
>  EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security"
> 
> base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9
> --
> 2.34.1



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable
  2025-10-21 14:15 ` Marko, Peter
@ 2025-10-22 14:46   ` Anders Heimer
  0 siblings, 0 replies; 3+ messages in thread
From: Anders Heimer @ 2025-10-22 14:46 UTC (permalink / raw)
  To: peter.marko, Anders Heimer,
	openembedded-core@lists.openembedded.org

On 10/21/25 16:15, Peter Marko via lists.openembedded.org wrote:
> NVD shows following CPE for this CVE:
> cpe:2.3:a:suse:pam-config:1.1.8-24.71.1:*:*:*:*:*:*:*
>
> So we don't need to ignore it as it won't show up in Yocto CVE reports.
> Next time I'd search for obsolete CVE_STATUS entries I'd erase this commit.
> What's the reason for this patch?

Thanks for the clarification.

I agree, CVE-2025-6018 doesn’t hit Yocto’s libpam.

My patch came from our internal scanner flagging the CVE; it doesn’t use 
Yocto’s product mapping and raised a false positive.

Br, Anders
>
> What would be worth investigating is CVE-2024-10041 which is reported for libpam recipe.
> Unfortunately not reported on autobuilder as it's not using systemd+pam distro config.
>
> Peter
>
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-
>> core@lists.openembedded.org> On Behalf Of Anders Heimer
>> Sent: Tuesday, October 21, 2025 15:59
>> To: openembedded-core@lists.openembedded.org
>> Cc: Anders Heimer <anders.heimer@est.tech>
>> Subject: [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable
>>
>> CVE-2025-6018 is a local privilege escalation in PAM that requires
>> `user_readenv=1` to be enabled in the PAM configuration. The default
>> configuration does not enable reading user environment files (user_readenv
>> is 0 by default). Hence this vulnerability cannot be exploited using the
>> default configuration.
>>
>> Signed-off-by: Anders Heimer <anders.heimer@est.tech>
>> ---
>>   meta/recipes-extended/pam/libpam_1.7.1.bb | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/meta/recipes-extended/pam/libpam_1.7.1.bb b/meta/recipes-
>> extended/pam/libpam_1.7.1.bb
>> index 8d9ea27028..42b50a8c22 100644
>> --- a/meta/recipes-extended/pam/libpam_1.7.1.bb
>> +++ b/meta/recipes-extended/pam/libpam_1.7.1.bb
>> @@ -26,6 +26,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-
>> PAM-${PV}.tar.xz \
>>
>>   SRC_URI[sha256sum] =
>> "21dbcec6e01dd578f14789eac9024a18941e6f2702a05cf91b28c232eeb26ab0"
>>
>> +CVE_STATUS[CVE-2025-6018] = "not-applicable-config: Default PAM config
>> does not use user_readenv=1"
>> +
>>   DEPENDS = "bison-native flex-native libxml2-native virtual/crypt"
>>
>>   EXTRA_OEMESON = "-Ddocs=disabled -Dsecuredir=${base_libdir}/security"
>>
>> base-commit: 416731b8756cd2689055ada2deaff48c7751d3b9
>> --
>> 2.34.1
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#225151): https://lists.openembedded.org/g/openembedded-core/message/225151
> Mute This Topic: https://lists.openembedded.org/mt/115873392/7170510
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [anders.heimer@runbox.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-10-22 14:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-21 13:59 [OE-core][PATCH] libpam: mark CVE-2025-6018 as not applicable Anders Heimer
2025-10-21 14:15 ` Marko, Peter
2025-10-22 14:46   ` Anders Heimer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox