+++ This bug was initially created as a clone of Bug #402101 +++ Description of problem: pam_xauth's pam_sm_open_session() calls putenv() to put a string into the environment, and then frees that string, leaving the environment with a pointer to free memory. It also calls pam_putenv(), so the value it sets normally makes it into the environment anyway, but the presence of the pointer to freed memory can result in either complete garbage or a reallocated buffer finding its way back into the environment. It can also result in the same variable appearing twice in the environment vector (see below), though the shell generally corrects this by discarding all but one of the duplicates. In our case, we noticed that when su called pam_getenvlist, one of the resulting malloc'd strings was occupying the block freed by pam_xauth. This meant the string in question appeared already in the environment; in our case, prior to another existing value, which meant that both values were exported. Of course, this is only one manifestation of the problem; however, we noticed debugging su that the environment corruption first appeared while pam_open_session() was running, and temporarily removing the entry in /etc/pam.d/su that invokes pam_xauth made the problem go away. We noticed this in pam-0.99.7.1-5.fc7 on i386 F7, but the problem is not platform specific and CVS shows that the bug has been present in upstream pam_xauth since at least Linux-PAM 0.80. This problem was recently fixed upstream; the fix appears in Linux-PAM 0.99.9. I am giving this severity "high" because it affects privileged code including suid programs such as "su", and while I can't prove that an attacker can exploit the bug to scribble on such a program's memory, I also cannot rule out that possibility.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0336.html