uncommitted - pam-u2f

• QA Page
• Maintainer email: team+auth@tracker.debian.org
• Last processed: 2023-07-02T02:02 (took 20s)
• Branch URL: https://salsa.debian.org/auth-team/pam-u2f.git -b debian/sid (taken from version 1.3.0-1)
• Queue position: 83914 (a 39w6d wait)

Schedule a new run

Ready changes

Publish now

Summary

Import uploads missing from VCS:

Diff

diff --git a/debian/changelog b/debian/changelog
index f7b10b9..1fac7d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pam-u2f (1.1.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle converse() returning NULL (CVE-2021-31924) (Closes: #987545)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 05 Jun 2021 15:04:24 +0200
+
 pam-u2f (1.1.0-1) unstable; urgency=low
 
   * New upstream version 1.1.0 (2020-09-17)
diff --git a/debian/patches/Handle-converse-returning-NULL.patch b/debian/patches/Handle-converse-returning-NULL.patch
new file mode 100644
index 0000000..cfa1c16
--- /dev/null
+++ b/debian/patches/Handle-converse-returning-NULL.patch
@@ -0,0 +1,37 @@
+From: pedro martelletto <pedro@yubico.com>
+Date: Wed, 19 May 2021 09:08:44 +0200
+Subject: Handle converse() returning NULL
+Origin: https://github.com/Yubico/pam-u2f/commit/6059b057dd9b6d0164fc16f9422c0d728f902bb5
+Bug: https://github.com/Yubico/pam-u2f/issues/175
+Bug-Debian: https://bugs.debian.org/987545
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31924
+
+If a PIN is required and converse() returns NULL, abort the
+authentication flow instead of reverting to FIDO2 without PIN.
+Fixes #175.
+---
+ util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/util.c b/util.c
+index 3ea1bd2be7e6..fb07dc70d545 100644
+--- a/util.c
++++ b/util.c
+@@ -1379,8 +1379,13 @@ int do_authentication(const cfg_t *cfg, const device_t *devices,
+           goto out;
+         }
+ 
+-        if (pin_verification == FIDO_OPT_TRUE)
++        if (pin_verification == FIDO_OPT_TRUE) {
+           pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
++          if (pin == NULL) {
++            D(cfg->debug_file, "converse() returned NULL");
++            goto out;
++          }
++        }
+         if (user_presence == FIDO_OPT_TRUE ||
+             user_verification == FIDO_OPT_TRUE) {
+           if (cfg->manual == 0 && cfg->cue && !cued) {
+-- 
+2.32.0.rc0
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4e61de9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+Handle-converse-returning-NULL.patch

Debdiff

[The following lists of changes regard files as different if they have different names, permissions or owners.]

Files in second set of .debs but not in first

-rw-r--r--  root/root   /usr/lib/debug/.build-id/64/3f82ae637c04b0133f123cf963690f72ba00ce.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/d7/99917e8653a23e9a23ce2abeac3a0829ae5b5e.debug

Files in first set of .debs but not in second

-rw-r--r--  root/root   /usr/lib/debug/.build-id/da/dffb66a6d24c16abba8c4429ab1979cc73c8c6.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/f1/41c30c5f98dd5fb41ede4fabaee0a8fc26bd41.debug

No differences were encountered between the control files of package libpam-u2f

Control files of package libpam-u2f-dbgsym: lines which differ (wdiff format)

• Build-Ids: dadffb66a6d24c16abba8c4429ab1979cc73c8c6 d799917e8653a23e9a23ce2abeac3a0829ae5b5e

No differences were encountered between the control files of package pamu2fcfg

Control files of package pamu2fcfg-dbgsym: lines which differ (wdiff format)

• Build-Ids: f141c30c5f98dd5fb41ede4fabaee0a8fc26bd41 643f82ae637c04b0133f123cf963690f72ba00ce

Run locally

More details

Full run details