ArchLinux: 202012-13: pam: authentication bypass
Summary
An authentication bypass issue was found in pam 1.5.0. Nonexistent users could authenticate if the root password was empty.
Resolution
Upgrade to 1.5.0-2.
# pacman -Syu "pam>=1.5.0-2"
The problem has been fixed upstream but no release is available yet.
References
https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5 https://github.com/linux-pam/linux-pam/pull/300 https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb https://security.archlinux.org/CVE-2020-27780
Workaround
The issue can be mitigated by setting a non-empty password for the rootuser.