Bug 672489 (CVE-2010-4708) - CVE-2010-4708 pam: pam_env: reading ~/.pam_environment is security risk
Summary: CVE-2010-4708 pam: pam_env: reading ~/.pam_environment is security risk
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-25 10:29 UTC by Jan Lieskovsky
Modified: 2021-03-26 15:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-25 11:00:28 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-01-25 10:29:20 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4708 to
the following vulnerability:

The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the
.pam_environment file in a user's home directory, which might allow
local users to run programs with an unintended environment by
executing a program that relies on the pam_env PAM check.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4708
[2] http://openwall.com/lists/oss-security/2010/09/27/7
[3] https://bugzilla.redhat.com/show_bug.cgi?id=641335
[4] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env/pam_env.8.xml?r1=1.7&r2=1.8
[5] http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env/pam_env.c?r1=1.22&r2=1.23

Comment 1 Jan Lieskovsky 2011-01-25 10:35:17 UTC
This issue does NOT affect the versions of the pam package,
as shipped with Red Hat Enterprise Linux 4 and 5, as those
versions do not recognize content of $HOME/.pam_environment file
(user specific environment file) by default yet.

This issue does NOT affect the version of the pam package,
as shipped with Red Hat Enterprise Linux 6. Relevant
pam package version was already updated via:

  RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

--

This issue does NOT affect the versions of the pam package, as shipped
with Fedora release of 13 and 14. Relevant pam package versions were
already updated:
1, for Fedora-13 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc13
2, for Fedora-14 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc14

Comment 2 Tomas Hoger 2011-01-25 11:00:28 UTC
(In reply to comment #1)
> This issue does NOT affect the versions of the pam package,
> as shipped with Red Hat Enterprise Linux 4 and 5, as those
> versions do not recognize content of $HOME/.pam_environment file
> (user specific environment file) by default yet.

To clarify, pam_environment module in the PAM packages in RHEL-4 and RHEL-5 has no support for reading user-specific ~/.pam_environment.  Hence both default and non-default configurations can not be affected.

> This issue does NOT affect the version of the pam package,
> as shipped with Red Hat Enterprise Linux 6. Relevant
> pam package version was already updated via:
> 
>   RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

This advisory explicitly highlights this change:

  Note: As part of the fix for CVE-2010-3435, this update changes the default
  value of pam_env's configuration option user_readenv to 0, causing the
  module to not read user's ~/.pam_environment configuration file by default,
  as reading it may introduce unexpected changes to the environment of the
  service using PAM, or PAM modules consulted after pam_env.


Note You need to log in before you can comment on or make changes to this bug.