Bug 672486 (CVE-2010-4707)

Summary: CVE-2010-4707 pam: pam_xauth: Does not check if certain ACL file is a regular file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, tmraz, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-18 19:17:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-01-25 10:06:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4707 to
the following vulnerability:

The check_acl function in pam_xauth.c in the pam_xauth module in
Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain
ACL file is a regular file, which might allow local users to cause a
denial of service (resource consumption) via a special file.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4707
[2] http://openwall.com/lists/oss-security/2010/10/03/1
[3] http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=Linux-PAM-1_1_2-2-gffe7058c70253d574b1963c7c93002bd410fddc9

Comment 1 Jan Lieskovsky 2011-01-25 10:09:13 UTC
This issue affects the version of the pam package, as shipped
with Red Hat Enterprise Linux 4.

This issue does NOT affect the versions of the pam package,
as shipped with Red Hat Enterprise Linux 5 and 6. Relevant
pam package versions were already updated:
1, for Red Hat Enterprise Linux 5 via:
   RHSA-2010:0819 https://rhn.redhat.com/errata/RHSA-2010-0819.html

2, for Red Hat Enterprise Linux 6 via:
   RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

--

This issue does NOT affect the versions of the pam package, as shipped
with Fedora release of 13 and 14. Relevant pam package versions were
already updated:
1, for Fedora-13 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc13
2, for Fedora-14 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc14

Comment 2 Tomas Hoger 2011-02-01 11:01:54 UTC
I'm not sure why CVE description mentions resource consumption DoS here.  It seems the main concern is that some service using pam_xauth may block on read if user replaces their ACL file e.g. pipe.  The pam_xauth module is only used with local applications used to switch or elevate privileges (su, system-config-* GUI configuration utilities), so the local user can block certain apps (su, consolehelper) running with different privileges.  However, this can only happen if the user is allowed to run those applications (commands run via su, or system-config-*) with changed privileges, which is likely to require more resources than small suid helper blocked on read.  So the security impact is limited.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue was addressed in the PAM packages in Red Hat Enterprise Linux 5 via RHSA-2010:0819 and in Red Hat Enterprise Linux 6 via RHSA-2010:0891. A future update may correct this issue in the PAM packages in Red Hat Enterprise Linux 4.