The Georgia Institute of Technology reports: When a program map uses an interpreted languages like python it's possible to load and execute arbitray code from a user home directory. This is because the standard environment variables are used to locate and load modules when using these languages. To avoid that we need to add a prefix to these environment names so they aren't used for this purpose. The prefix used is "AUTOFS_" and is not configurable.
(In reply to Huzaifa S. Sidhpurwala from comment #2) > > This issue affects the version of autofs as shipped with Red Hat Enterprise > Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of > the support and maintenance life cycle. This issue is not currently planned > to be addressed in future updates. For additional information, refer to the > Red Hat Enterprise Linux Life Cycle: > https://access.redhat.com/support/policy/updates/errata/. This is not so. RHEL 5 is not affected by this issue.
Acknowledgement: Red Hat would like to thank the Georgia Institute of Technology for reporting this issue.
Statement: This issue does not affect the version of autofs package as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1344 https://rhn.redhat.com/errata/RHSA-2015-1344.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2417 https://rhn.redhat.com/errata/RHSA-2015-2417.html