If the "trust" option is enabled in the pam_wheel configuration file and the "use_uid" option is disabled, any local user may spoof the username returned by getlogin() and gain access to a super-user account without supplying a password. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0388 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=98826 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=98020 ------- Additional Comments From dwb7.edu 2004-08-31 12:36:12 ---- RH seems to have taken a newer version of PAM and adapted it to allow it to build under AS2.1 ... since AS2.1 is 7.x, this should work fine under rh7.3 ------- Additional Comments From dwb7.edu 2004-08-31 12:41:35 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Built packages for RH7.3: 29e5b7b840a2f49efb3bde1178e245d750d58058 *pam-0.75-46.9.legacy.7x.i386.rpm 1a2faaea448b955ecb65e415704a63eebdb5ccf4 *pam-0.75-46.9.legacy.7x.src.rpm b16b4604ca121c827f91240d36b54387a3e5a14d *pam-devel-0.75-46.9.legacy.7x.i386.rpm download from http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/pam - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNP58SY7s7uPf/IURAoOwAJ9KrHb/gWK17rEETrnaxVib3G1YlgCgrYfK wAYJSBp0v+klsw4kRiUBCIg= =Fs7l -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-09-01 04:29:32 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1a2faaea448b955ecb65e415704a63eebdb5ccf4 ./pam-0.75-46.9.legacy.7x.src.rpm flex should be added to the build reqs: [ ... ] bison -d -p _pc_yy config.y config.y contains 1 shift/reduce conflict. sh ./sed-static config.tab.c flex -Cr -oconfig.lex.c -P_pc_yy config.l make[2]: flex: Command not found make[2]: *** [config.lex.c] Error 127 make[2]: Leaving directory `/usr/src/redhat/BUILD/Linux-PAM-0.75/modules/pam_console' but Redhat doesn't have it in there. Package builds fine after installing flex. 29e5b7b840a2f49efb3bde1178e245d750d58058 ./pam-0.75-46.9.legacy.7x.i386.rpm On a test box, I checked /bin/login, /bin/su, /usr/bin/sudo and /usr/bin/passwd (as root, and as a user -- with cracklib test). All of them behaved normally. The trust exploit requires that the user edit /etc/pam.d/* files (su), and requires a member of the 'wheel' group to be logged in. I couldn't find a published exploit, so I didn't double-check that it is fixed (however, this is from RHEL2, so it should be fine). Please PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBNdy9yQ+yTHz+jJkRAgQeAJ9GTw+pq4p8Ztpw0euvKxEZYpjumgCdFbGE byJ5fYoWBhBGUvq3V5cYwt8= =CI7p -----END PGP SIGNATURE----- ------- Additional Comments From jpdalbec 2004-09-01 04:42:20 ---- Created an attachment (id=827) Differences between the previous RHL 7.3 pam and the update There are about 64k of differences. I don't see anything that looks malicious, but there's a lot there. I unpacked the differing binary files so those differences can be seen (in the modules/ subdirectories). I gzipped the diff file so it can't be edited. Here's the detached signature for the attachment: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQBBNd0GJL4A+ldA7asRArfIAJ9/AXf62ifwjU2Wf6doo+Iq7Ur7mACfSDEh dQGbC3fEnJjF2POPG9s9RKo= =QV9q -----END PGP SIGNATURE----- Here are signed (sha1, md5)sums for the attachment: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pam-0.75-46.7.3-46.9.legacy.7x.diff.gz: 9fc2859c7a79705b888890d6a003d2775ea465ac (sha1sum) b8decf9dcf0dda23ef4489dd5bf400bd (md5sum) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNd8iJL4A+ldA7asRAo5mAJ9uWodPKqp/wHSt4U368fznCDGbIQCfV/cd 1PZnZBCINE/Lg6s08sZlIKY= =PIPN -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-09-02 03:39:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Built packages for RH7.3: (change from previous -- added BuildPrereq of flex) sha1sum -b * 5b2644d237bd49a6a00f4e5e2b05130339f57a82 *pam-0.75-46.9.legacy.7x.i386.rpm 47d9413916d5efd7f453adac70dc00889af5392f *pam-0.75-46.9.legacy.7x.src.rpm 6e361eb5e8999d038fc0f97f44662971be0bc1ba *pam-devel-0.75-46.9.legacy.7x.i386.rpm download from http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/pam - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBNyKJSY7s7uPf/IURAp6zAKC18RU5fN59VVuoT4fyfulm6uwfjQCgmPmf asZ7lbqy4O/ooMaiiamC7rs= =yxgr -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-09-02 04:44:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 47d9413916d5efd7f453adac70dc00889af5392f pam-0.75-46.9.legacy.7x.src.rpm # diff pam.spec-new pam.spec-old 103c103 < BuildPrereq: autoconf, bison, glib-devel, sed, fileutils, cracklib, cracklib-dicts, flex - --- > BuildPrereq: autoconf, bison, glib-devel, sed, fileutils, cracklib, cracklib-dicts 436,438d435 < * Thu Sep 02 2004 Dave Bostch <dwb7.edu> < - Added flex to BuildPrereq < Flex is added, it looks good PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBNzHDyQ+yTHz+jJkRAsTSAKC/W2E6yUL3bBh+JU2sTZgx/1tu/QCguI11 jYz1N9/Hl3y2wgAIlCJbieg= =iZ7k -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-21 16:37:36 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the following package: 47d9413916d5efd7f453adac70dc00889af5392f pam-0.75-46.9.legacy.7x.src.rpm - - Source files match RHEL2.1 pam update - - Spec file changes from RHEL2.1 update are OK - - Spec file changes and patch changes from previous rh73 release appear OK - - Builds and runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBeHKJLMAs/0C4zNoRAmSxAJ0Y9BOqxaZhuD3nI7uXNA3ii1AwOACeODhv RPIGQgoE3nCSIiITedcLzos= =tT3Z -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-26 00:32:45 ---- There have been also other bugfixes in the RHEL track since, like: https://rhn.redhat.com/errata/RHBA-2004-575.html. Nothing major though; it would be easy to roll new RHL73 packages, but probably not worth the effort. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package for RHL9 for QA: - I took the latest RHEL3 update as-is, except I disabled LAUS support - looking at the spec file, the only functional difference I see is that now "postgresok" authentication module is also included. Shouldn't be an issue, but easy to disable if so. - installed OK, logins, su, etc. seemed to work OK http://www.netcore.fi/pekkas/linux/pam-0.75-62.9.legacy.src.rpm (RHL9) 2e30e4f4b8ddefe7923ea8a09191495958b5d6fe pam-0.75-62.9.legacy.src.rpm * Sat Feb 26 2005 Pekka Savola <pekkas> 0.75-62.9.legacy - rebuild for Fedora Legacy to fix CAN-2003-0388 and minor bugs (#2010) [..plus the RHEL3 changelog...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCIFAiGHbTkzxSL7QRAp9oAJ9mXxBKUn2cTxNBoKom45nkx51jFwCgxMEy HBMb4LC6CsS6ANkaVfayBDo= =Osrw -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-26 01:08:55 ---- Sigh. In case we want to care about #2146 (wrong console.perms for cdwriters etc.), those patches need to go here as well. It's not clear which bug number should be used to track the packages fixing both (if we want to fix both). ------- Additional Comments From marcdeslauriers 2005-02-26 03:45:01 ---- I don't think we should fix 2146. It will break too many things and no other distro seems to have fixed it. I think we should just stick with this one. ------- Additional Comments From marcdeslauriers 2005-03-02 16:31:25 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the rh9 package from comment 8: 2e30e4f4b8ddefe7923ea8a09191495958b5d6fe pam-0.75-62.9.legacy.src.rpm - - Source files match previous version plus updates - - New patches are reasonable - - Spec file changes are reasonable - - Builds and runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCJnbsLMAs/0C4zNoRAjG+AKCXRlvo3nmUVZG1MlKnupGrc+1glQCfa+D8 A8kn6LxqLkwuYKocqvkr390= =emji -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-05 04:55:30 ---- Packages were pushed to updates-testing ------- Additional Comments From jimpop 2005-03-05 07:18:53 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, I applied the pam test release to an acceptance level RH73 box and verified some diffs with a production server. bb7b9e1c63be2eb2064b46eacaf8d0ce68594d11 pam-0.75-46.10.legacy.7x.i386.rpm --------------------------------------- $ diff /etc/pam.d/chkrootkit /mnt/prod-IPDAER0036MIA1/etc/pam.d/chkrootkit 3d2 < auth sufficient pam_timestamp.so 7d5 < session optional pam_timestamp.so diff /etc/pam.d/other /mnt/prod-IPDAER0036MIA1/etc/pam.d/other 2,5c2,5 < auth required /lib/security/$ISA/pam_deny.so < account required /lib/security/$ISA/pam_deny.so < password required /lib/security/$ISA/pam_deny.so < session required /lib/security/$ISA/pam_deny.so --- > auth required /lib/security/pam_deny.so > account required /lib/security/pam_deny.so > password required /lib/security/pam_deny.so > session required /lib/security/pam_deny.so Only in /etc/pam.d/: system-auth.rpmnew ----------------------------------------- soooo what's diff between system-auth and system-auth.rpmnew? ----------------------------------------- $ diff /etc/pam.d/system-auth.rpmnew /etc/pam.d/system-auth 4,6c4,6 < auth required /lib/security/$ISA/pam_env.so < auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok < auth required /lib/security/$ISA/pam_deny.so --- > auth required /lib/security/pam_env.so > auth sufficient /lib/security/pam_unix.so likeauth nullok > auth required /lib/security/pam_deny.so 8c8 < account required /lib/security/$ISA/pam_unix.so --- > account required /lib/security/pam_unix.so 10,12c10,12 < password required /lib/security/$ISA/pam_cracklib.so retry=3 < password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow < password required /lib/security/$ISA/pam_deny.so --- > password required /lib/security/pam_cracklib.so retry=3 type= > password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow > password required /lib/security/pam_deny.so 14,15c14,15 < session required /lib/security/$ISA/pam_limits.so < session required /lib/security/$ISA/pam_unix.so --- > session required /lib/security/pam_limits.so > session required /lib/security/pam_unix.so ----------------------------------------- What's all that $ISA stuff??? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCKemNuhh7yV/E9I4RAjhFAJ4h4EoNYQwLQ65bpqIQ6DtpzDq8ywCfXH2i DpAGrHVsiRErEc7J9YXh1Nc= =zi2p -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-05 08:59:09 ---- This $ISA stuff was added in newer pam versions in order to support multiple architectures. See: http://www.opengroup.org/pubs/corrigenda/u039f.htm The change AFAIK was introduced in an earlier RH update, not this one. ------- Additional Comments From jimpop 2005-03-05 09:11:10 ---- Granted I guess there is some merit to the rational behind $ISA, however to me that's a security hole if all it takes is setting a system environment variable (not trivial, but not completely impossible) to change the authentication module used by "su -". -Jim P. ------- Additional Comments From madhatter 2005-03-05 11:49:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 622eac1455b5ccb0cf75705cc0f42b3226f9cc31 pam-0.75-62.10.legacy.i386.rpm 18c330ff1ef063f21a3b3c8eb297d09bb004ee67 pam-devel-0.75-62.10.legacy.i386.rpm installed on RH9. i can ssh in, change my password with passwd, and su. hopefully these all use pam (they all have entries in /etc/pam.d). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCKilTePtvKV31zw4RAvuNAKCgrCNbz81gcBCCsLqcu0nJ+TFUywCbBsbH BsMj/2nrFVVnm+Ba9JghBv4= =k5HZ -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:26 ------- This bug previously known as bug 2010 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2010 Originally filed under the Fedora Legacy product and Package request component. Attachments: Differences between the previous RHL 7.3 pam and the update https://bugzilla.fedora.us/attachment.cgi?action=view&id=827 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RHL7.3 verify sha1: bb7b9e1c63be2eb2064b46eacaf8d0ce68594d11 pam-0.75-46.10.legacy.7x.i386.rpm 9af62c26654ba14bde7bf6e3b59b9b4f62fd5d35 pam-devel-0.75-46.10.legacy.7x.i386.rpm signatures: pam-0.75-46.10.legacy.7x.i386.rpm: md5 gpg OK pam-devel-0.75-46.10.legacy.7x.i386.rpm: md5 gpg OK packages install with out any errors or warnings. I have been using these packages on 6 production 7.3 machines for over 1 month with no problems. +VERIFY RHL7.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCg7YF+CqvSzp9LOwRAtQxAJ4vP3gluhiMlMFngd3NAgmck+Q9vACgqxYF Jh9XKuTpigTJTKamkID/17E= =c5Mq -----END PGP SIGNATURE-----
These packages were officially released