Bug 672489 (CVE-2010-4708)
Summary: | CVE-2010-4708 pam: pam_env: reading ~/.pam_environment is security risk | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-01-25 11:00:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2011-01-25 10:29:20 UTC
This issue does NOT affect the versions of the pam package, as shipped with Red Hat Enterprise Linux 4 and 5, as those versions do not recognize content of $HOME/.pam_environment file (user specific environment file) by default yet. This issue does NOT affect the version of the pam package, as shipped with Red Hat Enterprise Linux 6. Relevant pam package version was already updated via: RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html -- This issue does NOT affect the versions of the pam package, as shipped with Fedora release of 13 and 14. Relevant pam package versions were already updated: 1, for Fedora-13 the version which contains the patch for this issue is: pam-1.1.1-6.fc13 2, for Fedora-14 the version which contains the patch for this issue is: pam-1.1.1-6.fc14 (In reply to comment #1) > This issue does NOT affect the versions of the pam package, > as shipped with Red Hat Enterprise Linux 4 and 5, as those > versions do not recognize content of $HOME/.pam_environment file > (user specific environment file) by default yet. To clarify, pam_environment module in the PAM packages in RHEL-4 and RHEL-5 has no support for reading user-specific ~/.pam_environment. Hence both default and non-default configurations can not be affected. > This issue does NOT affect the version of the pam package, > as shipped with Red Hat Enterprise Linux 6. Relevant > pam package version was already updated via: > > RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html This advisory explicitly highlights this change: Note: As part of the fix for CVE-2010-3435, this update changes the default value of pam_env's configuration option user_readenv to 0, causing the module to not read user's ~/.pam_environment configuration file by default, as reading it may introduce unexpected changes to the environment of the service using PAM, or PAM modules consulted after pam_env. |