Red Hat Bugzilla – Bug 672489
CVE-2010-4708 pam: pam_env: reading ~/.pam_environment is security risk
Last modified: 2011-01-25 06:00:28 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4708 to the following vulnerability: The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4708 [2] http://openwall.com/lists/oss-security/2010/09/27/7 [3] https://bugzilla.redhat.com/show_bug.cgi?id=641335 [4] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env/pam_env.8.xml?r1=1.7&r2=1.8 [5] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env/pam_env.c?r1=1.22&r2=1.23
This issue does NOT affect the versions of the pam package, as shipped with Red Hat Enterprise Linux 4 and 5, as those versions do not recognize content of $HOME/.pam_environment file (user specific environment file) by default yet. This issue does NOT affect the version of the pam package, as shipped with Red Hat Enterprise Linux 6. Relevant pam package version was already updated via: RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html -- This issue does NOT affect the versions of the pam package, as shipped with Fedora release of 13 and 14. Relevant pam package versions were already updated: 1, for Fedora-13 the version which contains the patch for this issue is: pam-1.1.1-6.fc13 2, for Fedora-14 the version which contains the patch for this issue is: pam-1.1.1-6.fc14
(In reply to comment #1) > This issue does NOT affect the versions of the pam package, > as shipped with Red Hat Enterprise Linux 4 and 5, as those > versions do not recognize content of $HOME/.pam_environment file > (user specific environment file) by default yet. To clarify, pam_environment module in the PAM packages in RHEL-4 and RHEL-5 has no support for reading user-specific ~/.pam_environment. Hence both default and non-default configurations can not be affected. > This issue does NOT affect the version of the pam package, > as shipped with Red Hat Enterprise Linux 6. Relevant > pam package version was already updated via: > > RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html This advisory explicitly highlights this change: Note: As part of the fix for CVE-2010-3435, this update changes the default value of pam_env's configuration option user_readenv to 0, causing the module to not read user's ~/.pam_environment configuration file by default, as reading it may introduce unexpected changes to the environment of the service using PAM, or PAM modules consulted after pam_env.