libpam_1.2.1 and CVE-2010-4708
Tomas Mraz
tmraz at redhat.com
Mon Dec 14 17:28:31 UTC 2015
On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote:
> Hello,
> I was looking in source code of libpam 1.2.1 ( Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for
> Security vulnerability issue CVE-2010-4708.
>
> Should not DEFAULT_USER_READ_ENVFILE be defined as
> #define DEFAULT_USER_READ_ENVFILE 1
>
> Please suggest if this security issue is fix in different way in release 1.2.1 Or
> I still need a patch for CVE-2010-4708 ?
Yes, it is true that the default was never changed to not read the file
in the Linux-PAM upstream. It was however disputed whether the
vulnerability is real as the environment variables are not set into the
process environment but only PAM environment which normally does not
affect the modules. So the default was kept to 1.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the Pam-list
mailing list