Bug 672486 (CVE-2010-4707) - CVE-2010-4707 pam: pam_xauth: Does not check if certain ACL file is a regular file
Summary: CVE-2010-4707 pam: pam_xauth: Does not check if certain ACL file is a regular...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4707
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-25 10:06 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-18 19:17:06 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-01-25 10:06:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4707 to
the following vulnerability:

The check_acl function in pam_xauth.c in the pam_xauth module in
Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain
ACL file is a regular file, which might allow local users to cause a
denial of service (resource consumption) via a special file.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4707
[2] http://openwall.com/lists/oss-security/2010/10/03/1
[3] http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=Linux-PAM-1_1_2-2-gffe7058c70253d574b1963c7c93002bd410fddc9

Comment 1 Jan Lieskovsky 2011-01-25 10:09:13 UTC
This issue affects the version of the pam package, as shipped
with Red Hat Enterprise Linux 4.

This issue does NOT affect the versions of the pam package,
as shipped with Red Hat Enterprise Linux 5 and 6. Relevant
pam package versions were already updated:
1, for Red Hat Enterprise Linux 5 via:
   RHSA-2010:0819 https://rhn.redhat.com/errata/RHSA-2010-0819.html

2, for Red Hat Enterprise Linux 6 via:
   RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html

--

This issue does NOT affect the versions of the pam package, as shipped
with Fedora release of 13 and 14. Relevant pam package versions were
already updated:
1, for Fedora-13 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc13
2, for Fedora-14 the version which contains the patch for this issue is:
   pam-1.1.1-6.fc14

Comment 2 Tomas Hoger 2011-02-01 11:01:54 UTC
I'm not sure why CVE description mentions resource consumption DoS here.  It seems the main concern is that some service using pam_xauth may block on read if user replaces their ACL file e.g. pipe.  The pam_xauth module is only used with local applications used to switch or elevate privileges (su, system-config-* GUI configuration utilities), so the local user can block certain apps (su, consolehelper) running with different privileges.  However, this can only happen if the user is allowed to run those applications (commands run via su, or system-config-*) with changed privileges, which is likely to require more resources than small suid helper blocked on read.  So the security impact is limited.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue was addressed in the PAM packages in Red Hat Enterprise Linux 5 via RHSA-2010:0819 and in Red Hat Enterprise Linux 6 via RHSA-2010:0891. A future update may correct this issue in the PAM packages in Red Hat Enterprise Linux 4.


Note You need to log in before you can comment on or make changes to this bug.