Bug 2291438 (CVE-2024-37408)
| Summary: | CVE-2024-37408 fprintd: unexpected actions might be authorized with fingerprint reader | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | benjamin-fedora |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in fprintd through version 1.94.3, which lacks a security attention mechanism. This issue causes unexpected actions that may be authorized by "auth sufficient pam_fprintd.so" for Sudo.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-06-28 06:31:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2291439 | ||
| Bug Blocks: | 2291437 | ||
|
Description
Rohit Keshri
2024-06-12 06:05:22 UTC
Created fprintd tracking bugs for this issue: Affects: fedora-all [bug 2291439] As I have said before, there is nothing that fprind can do about this. The reporter is asking for something that is impossible to implement/ensure for the fprintd stack. This is a fundamental problem with how PAM. The simple way to avoid it is to just not permit fingerprint authentication for "sudo" and on the console, but to only do it for PolicyKit and graphical login. There is *nothing* that fprintd can do about this. |