Bug 746620 (CVE-2011-3149)

Summary: CVE-2011-3149 pam (pam_env): Infinite loop by expanding certain arguments
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-22 04:34:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 748817, 865990    
Bug Blocks: 746631, 855229    

Description Jan Lieskovsky 2011-10-17 10:06:56 UTC 
An infinite loop flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool expanded certain environment variables, when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to cause the pam_env module check to enter the infinite loop and spam system log file of the particular host.
Comment 1 Jan Lieskovsky 2011-10-17 10:17:05 UTC 
Acknowledgements:

Red Hat would like to thank Kees Cook of Google ChromeOS Team for reporting
this issue.
Comment 8 Huzaifa S. Sidhpurwala 2011-10-18 05:17:01 UTC 
Reading of user-supplied environment files is disabled by default in the pam package versions, as shipped with various releases of Red Hat Enterprise Linux and Fedora, more information at:

https://bugzilla.redhat.com/show_bug.cgi?id=746619#c9
Comment 12 Huzaifa S. Sidhpurwala 2011-10-19 10:53:53 UTC 
This issue does not affect the version of the pam package, as shipped with
Red Hat Enterprise Linux 4 and 5, because they do not support reading user specific environment file via ~/.pam_environment

This issue affects the version of the pam package, as shipped with Red Hat
Enterprise Linux 6.

This issue affects the version of pam package, as shipped with Fedora 14 and 15.
Comment 13 Huzaifa S. Sidhpurwala 2011-10-21 04:48:06 UTC 
Statement:

This issue did not affect the versions of pam package as shipped with Red Hat Enterprise Linux 4 and 5.
Comment 14 Jan Lieskovsky 2011-10-25 12:57:29 UTC 
Public via:
[1] https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565

Relevant upstream patch:
[2] http://git.fedorahosted.org/git/?p=linux-pam.git;a=commitdiff;h=109823cb621c900c07c4b6cdc99070d354d19444
Comment 15 Jan Lieskovsky 2011-10-25 13:03:36 UTC 
Created pam tracking bugs for this issue

Affects: fedora-all [bug 748817]
Comment 17 errata-xmlrpc 2013-02-21 10:36:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0521 https://rhn.redhat.com/errata/RHSA-2013-0521.html