CVE-2024-10041

mdeslaur

The upstream bug for this issue, #846, indicates that the fix in pull 686, also listed below as the commit in 1.6.0, fixes this issue. Fixing this CVE may require changes in apparmor policies, see: https://salsa.debian.org/apparmor-team/apparmor/-/commit/243162ca2938b391724f547596787c7f77d1fc5f https://bugzilla.opensuse.org/show_bug.cgi?id=1219139 https://gitlab.com/apparmor/apparmor/-/commit/243162ca2938b391724f547596787c7f77d1fc5f https://gitlab.com/apparmor/apparmor/-/commit/0deda68bd8edb356228b420c6e0392922155a9fb https://gitlab.com/apparmor/apparmor/-/commit/6f5a4219d737709278c1678f4865d24633059f7d https://gitlab.com/apparmor/apparmor/-/commit/b6eb4620492f61bd57873145edc4b721cf7ca66c This fix will also possibly require changes in other applications: https://github.com/linux-pam/linux-pam/issues/874 https://github.com/linux-pam/linux-pam/issues/747 The pam change required to fix this vulnerability fundamentally changes how passwords are read from the shadow file. Instead of being read by the pam module itself, the patch switches to using the external unix-chkpwd helper. This change is very intrusive and is likely to cause regressions in many environments, including those using custom AppArmor or PAM configurations, and installations that have been hardened. Since this is a local attack that is mostly theoretical and likely very difficult to perform successfully, and there are no public reproducers for this issue, we will not be fixing this issue in stable Ubuntu releases. Marking releases as ignored.