Bug 426568 - (CVE-2007-5360) CVE-2007-5360 tog-pegasus pam authentication buffer overflow
CVE-2007-5360 tog-pegasus pam authentication buffer overflow
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Vitezslav Crhonek
reported=20071221,impact=critical,pub...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-22 03:32 EST by Mark J. Cox (Product Security)
Modified: 2008-01-08 03:44 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-08 03:44:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2007-12-22 03:32:49 EST
VMWare reported a buffer overflow vulnerability in the PAM authentication code
in the OpenPegasus CIM management server. This vulnerability can be exploited
remotely and results in arbitrary code execution with the privileges of the
cimserver process.

Details in next comment.

Due to the nature of the bug, and the Red Hat changes to tog-pegasus package,
it's quite likely it has a much reduced impact, this will have to be investigated.

Current embargo is Dec 27th.  I've asked for an extension to Jan 3rd at the
earliest.
Comment 2 Mark J. Cox (Product Security) 2007-12-22 03:35:04 EST
There were some changes made to authentication code for Red Hat version, these
need to be checked

The sprintf is unfortunately not caught by fortify_source (because it's C++)

We do ship with a SELinux policy by default (it was a requirement of shipping
this package)
Comment 3 Mark J. Cox (Product Security) 2007-12-22 07:37:54 EST
Not vulnerable.  The RHEL4 and RHEL5 builds of tog-pegasus do not build with
PEGASUS_USE_PAM_STANDALONE_PROC and therefore do not compile the vulnerable
function.
Comment 6 Tomas Hoger 2008-01-08 02:41:14 EST
Public now:

http://marc.info/?l=full-disclosure&m=119975801904357&w=4
Comment 7 Mark J. Cox (Product Security) 2008-01-08 03:44:35 EST
Whilst this issue does not affect Red Hat Enterprise Linux tog-pegasus packages,
we found a similar issue that does.  Please see
https://bugzilla.redhat.com/show_bug.cgi?id=426578

Note You need to log in before you can comment on or make changes to this bug.