CVE-2024-22365: 
NixOS vulnerability analysis and mitigation

CVE-2024-22365 affects linux-pam (Linux PAM) versions before 1.6.0. The vulnerability was discovered in January 2024 and officially disclosed on January 17, 2024, with the release of Linux PAM 1.6.0. The issue affects the pam_namespace.so PAM module, which is part of the core PAM modules in the linux-pam project (Linux PAM, NVD).

The vulnerability exists in the protectdir() function of pamnamespace.so module where the openat call (for protectdir) lacks the ODIRECTORY flag. This oversight allows attackers to manipulate the path crawling logic by placing special files like FIFOs in user-controlled directories. The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, OSS Security).

When exploited, this vulnerability allows attackers to cause a denial of service condition by blocking the login process. The attack can be triggered when an unprivileged user (not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated directory) places a FIFO in the target location, causing the openat() in protect_dir() to block indefinitely (OSS Security).

The vulnerability has been fixed in Linux PAM version 1.6.0 by adding the ODIRECTORY flag to the openat() call in the protectdir() function. The fix prevents the open operation from succeeding if the path does not refer to a directory. Users and administrators should upgrade to Linux PAM version 1.6.0 or later to address this vulnerability (Linux PAM Release, PAM Patch).