Bug 746620 (CVE-2011-3149)

Summary: CVE-2011-3149 pam (pam_env): Infinite loop by expanding certain arguments
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20111024,reported=20111014,source=distros,cvss2=1.2/AV:L/AC:H/Au:N/C:N/I:N/A:P,rhel-4/pam=notaffected,rhel-5/pam=notaffected,rhel-6/pam=affected,fedora-all/pam=affected,cwe=CWE-835[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 23:34:36 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 748817, 865990    
Bug Blocks: 746631, 855229    

Description Jan Lieskovsky 2011-10-17 06:06:56 EDT
An infinite loop flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool expanded certain environment variables, when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to cause the pam_env module check to enter the infinite loop and spam system log file of the particular host.
Comment 1 Jan Lieskovsky 2011-10-17 06:17:05 EDT

Red Hat would like to thank Kees Cook of Google ChromeOS Team for reporting
this issue.
Comment 8 Huzaifa S. Sidhpurwala 2011-10-18 01:17:01 EDT
Reading of user-supplied environment files is disabled by default in the pam package versions, as shipped with various releases of Red Hat Enterprise Linux and Fedora, more information at:

Comment 12 Huzaifa S. Sidhpurwala 2011-10-19 06:53:53 EDT
This issue does not affect the version of the pam package, as shipped with
Red Hat Enterprise Linux 4 and 5, because they do not support reading user specific environment file via ~/.pam_environment

This issue affects the version of the pam package, as shipped with Red Hat
Enterprise Linux 6.

This issue affects the version of pam package, as shipped with Fedora 14 and 15.
Comment 13 Huzaifa S. Sidhpurwala 2011-10-21 00:48:06 EDT

This issue did not affect the versions of pam package as shipped with Red Hat Enterprise Linux 4 and 5.
Comment 15 Jan Lieskovsky 2011-10-25 09:03:36 EDT
Created pam tracking bugs for this issue

Affects: fedora-all [bug 748817]
Comment 17 errata-xmlrpc 2013-02-21 05:36:40 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0521 https://rhn.redhat.com/errata/RHSA-2013-0521.html