pam_namespace: fix potential privilege escalation

Resolves: CVE-2025-6020 and RHEL-96724

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

pam-1.3.1-pam-inline-pam-asprintf.patch

@@ -0,0 +1,67 @@
+diff -up Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.pam-inline-pam-asprintf Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h
+--- Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h.pam-inline-pam-asprintf	2025-06-17 10:12:31.039519165 +0200
++++ Linux-PAM-1.3.1/libpam/include/pam_cc_compat.h	2025-06-17 10:17:40.313892315 +0200
+@@ -15,6 +15,12 @@
+ # define PAM_CLANG_PREREQ(maj, min)	0
+ #endif
+ 
++#if PAM_GNUC_PREREQ(3, 0)
++# define PAM_ATTRIBUTE_MALLOC		__attribute__((__malloc__))
++#else
++# define PAM_ATTRIBUTE_MALLOC		/* empty */
++#endif
++
+ #if PAM_GNUC_PREREQ(4, 6)
+ # define DIAG_PUSH_IGNORE_CAST_QUAL					\
+ 	_Pragma("GCC diagnostic push");					\
+diff -up Linux-PAM-1.3.1/libpam/include/pam_inline.h.pam-inline-pam-asprintf Linux-PAM-1.3.1/libpam/include/pam_inline.h
+--- Linux-PAM-1.3.1/libpam/include/pam_inline.h.pam-inline-pam-asprintf	2025-06-17 10:12:31.039639983 +0200
++++ Linux-PAM-1.3.1/libpam/include/pam_inline.h	2025-06-17 10:19:03.453146173 +0200
+@@ -9,6 +9,9 @@
+ #define PAM_INLINE_H
+ 
+ #include "pam_cc_compat.h"
++#include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ 
+ /*
+@@ -64,4 +67,37 @@ pam_str_skip_icase_prefix_len(const char
+ #define pam_str_skip_icase_prefix(str_, prefix_)	\
+ 	pam_str_skip_icase_prefix_len((str_), (prefix_), sizeof(prefix_) - 1 + PAM_MUST_BE_ARRAY(prefix_))
+ 
++static inline char * PAM_FORMAT((printf, 1, 2)) PAM_NONNULL((1)) PAM_ATTRIBUTE_MALLOC
++pam_asprintf(const char *fmt, ...)
++{
++	int rc;
++	char *res;
++	va_list ap;
++
++	va_start(ap, fmt);
++	rc = vasprintf(&res, fmt, ap);
++	va_end(ap);
++
++	return rc < 0 ? NULL : res;
++}
++
++static inline int PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3))
++pam_snprintf(char *str, size_t size, const char *fmt, ...)
++{
++	int rc;
++	va_list ap;
++
++	va_start(ap, fmt);
++	rc = vsnprintf(str, size, fmt, ap);
++	va_end(ap);
++
++	if (rc < 0 || (unsigned int) rc >= size)
++		return -1;
++	return rc;
++}
++
++#define pam_sprintf(str_, fmt_, ...)						\
++	pam_snprintf((str_), sizeof(str_) + PAM_MUST_BE_ARRAY(str_), (fmt_),	\
++		     ##__VA_ARGS__)
++
+ #endif /* PAM_INLINE_H */

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 36%{?dist}
+Release: 37%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -123,6 +123,10 @@ Patch73: pam-1.3.1-pam-access-local.patch
 Patch74: pam-1.3.1-libpam-support-long-lines.patch
 # https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
 Patch75: pam-1.3.1-pam-access-resolve-ip.patch
+# https://github.com/linux-pam/linux-pam/commit/10b80543807e3fc5af5f8bcfd8bb6e219bb3cecc
+Patch76: pam-1.3.1-pam-inline-pam-asprintf.patch
+# Available upstream
+Patch77: pam-1.3.1-pam-namespace-rebase.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -246,6 +250,8 @@ cp %{SOURCE18} .
 %patch73 -p1 -b .pam-access-local
 %patch74 -p1 -b .libpam-support-long-lines
 %patch75 -p1 -b .pam-access-resolve-ip
+%patch76 -p1 -b .pam-inline-pam-asprintf
+%patch77 -p1 -b .pam-namespace-rebase
 
 autoreconf -i
 
@@ -499,6 +505,10 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Mon Jun 16 2025 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-37
+- pam_namespace: fix potential privilege escalation.
+  Resolves: CVE-2025-6020 and RHEL-96724
+
 * Mon Nov 25 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-36
 - pam_access: rework resolving of tokens as hostname.
   Resolves: CVE-2024-10963 and RHEL-66242