Bug 672489 (CVE-2010-4708)

Summary: CVE-2010-4708 pam: pam_env: reading ~/.pam_environment is security risk
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-25 11:00:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-01-25 10:29:20 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4708 to
the following vulnerability:

The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the
.pam_environment file in a user's home directory, which might allow
local users to run programs with an unintended environment by
executing a program that relies on the pam_env PAM check.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4708
[2] http://openwall.com/lists/oss-security/2010/09/27/7
[3] https://bugzilla.redhat.com/show_bug.cgi?id=641335
[4] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env/pam_env.8.xml?r1=1.7&r2=1.8
[5] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env/pam_env.c?r1=1.22&r2=1.23
Comment 1 Jan Lieskovsky 2011-01-25 10:35:17 UTC 
This issue does NOT affect the versions of the pam package,
as shipped with Red Hat Enterprise Linux 4 and 5, as those
versions do not recognize content of $HOME/.pam_environment file
(user specific environment file) by default yet.

This issue does NOT affect the version of the pam package,
as shipped with Red Hat Enterprise Linux 6. Relevant
pam package version was already updated via:

  RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

--

This issue does NOT affect the versions of the pam package, as shipped
with Fedora release of 13 and 14. Relevant pam package versions were
already updated:
1, for Fedora-13 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc13
2, for Fedora-14 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc14
Comment 2 Tomas Hoger 2011-01-25 11:00:28 UTC 
(In reply to comment #1)
> This issue does NOT affect the versions of the pam package,
> as shipped with Red Hat Enterprise Linux 4 and 5, as those
> versions do not recognize content of $HOME/.pam_environment file
> (user specific environment file) by default yet.

To clarify, pam_environment module in the PAM packages in RHEL-4 and RHEL-5 has no support for reading user-specific ~/.pam_environment.  Hence both default and non-default configurations can not be affected.

> This issue does NOT affect the version of the pam package,
> as shipped with Red Hat Enterprise Linux 6. Relevant
> pam package version was already updated via:
> 
>   RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

This advisory explicitly highlights this change:

  Note: As part of the fix for CVE-2010-3435, this update changes the default
  value of pam_env's configuration option user_readenv to 0, causing the
  module to not read user's ~/.pam_environment configuration file by default,
  as reading it may introduce unexpected changes to the environment of the
  service using PAM, or PAM modules consulted after pam_env.