Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531)

["Douglas R. Reno" <renodr () linuxfromscratch org>]

On 2/6/25 8:55 AM, Matthias Gerstner wrote:
> 4) Affected Distributions and Configurations
> ============================================
>
> The issue was introduced in pam_pkcs11 version 0.6.12, released in July
> 2021. Any PAM stack that relies on pam_pkcs11 as the only
> authentication factor will be affected by the issue.
>
> On openSUSE Tumbleweed the issue became apparent only due to the
> mentioned changes in GDM [7], which cause YubiKeys to be treated as
> smart cards in some situations. We believe plugging in any kind of
> mismatching smart card (or YubiKey) on openSUSE Tumbleweed with GDM as a
> display manager will allow to bypass login.
>
> Similar situations could occur on other Linux distributions if GDM smart
> card login is enabled and smart cards are autodetected. Even then, an
> affected "gdm-smartcard" PAM stack still needs to be in place for the
> issue to trigger. gdm-smartcard PAM stacks relying on pam_pkcs11 are
> found in the GDM repository for:
>
> - Arch Linux [22]
> - Exherbo Linux [23]
> - Linux from Scratch [24]

Hello Matthias!

I wanted to chime in here on behalf of my official capacity at Linux 
From Scratch. We don't carry the pam_pkcs11 module, so I don't think 
our users are affected by this particular vulnerability either.

Douglas Reno
Linux From Scratch