Package: libpam-u2f
Version: 1.1.0-1
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: kjo...@poczta.onet.pl
I issued directly against pam-u2f module, at
https://github.com/Yubico/pam-u2f/issues/175
but I am not sure if they want to do anything about it.
I did some digging and found that pin verification flags are used only to print
prompt for pin,
but then there is not checking if pin is not null.
And libuf2 library, in case of null pin does not perform pin checking.
So my PoC solution is attached (I hope this properly release resources)
-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-u2f depends on:
ii libc6 2.31-11
ii libfido2-1 1.6.0-2
ii libpam0g 1.4.0-7
ii libssl1.1 1.1.1k-1
Versions of packages libpam-u2f recommends:
ii pamu2fcfg 1.1.0-1
libpam-u2f suggests no packages.
-- no debconf information
--- pam-u2f-1.1.0/util.c 2020-08-10 09:19:44.000000000 +0200
+++ pam-u2f-1.1.0-kj/util.c 2021-04-25 13:42:44.707869293 +0200
@@ -1370,8 +1370,12 @@
goto out;
}
- if (pin_verification == FIDO_OPT_TRUE)
+ if (pin_verification == FIDO_OPT_TRUE) {
pin = converse(pamh, PAM_PROMPT_ECHO_OFF, "Please enter the PIN: ");
+ if (!pin)
+ goto out;
+
+ }
if (user_presence == FIDO_OPT_TRUE ||
user_verification == FIDO_OPT_TRUE) {
if (cfg->manual == 0 && cfg->cue && !cued) {
