libpam_1.2.1 and CVE-2010-4708
Tupe, Amol (Amol)
tupea at avaya.com
Mon Dec 14 18:14:17 UTC 2015
Thanks Tomas,
So, keeping default as 1 is safe.
And I will continue with
DEFAULT_USER_READ_ENVFILE 1
Regards,
Amol T
-----Original Message-----
From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] On Behalf Of Tomas Mraz
Sent: Monday, December 14, 2015 12:29 PM
To: Pluggable Authentication Modules
Cc: PAM developers
Subject: Re: libpam_1.2.1 and CVE-2010-4708
On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote:
> Hello,
> I was looking in source code of libpam 1.2.1 (
> Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for Security vulnerability issue CVE-2010-4708.
>
> Should not DEFAULT_USER_READ_ENVFILE be defined as #define
> DEFAULT_USER_READ_ENVFILE 1
>
> Please suggest if this security issue is fix in different way in
> release 1.2.1 Or I still need a patch for CVE-2010-4708 ?
Yes, it is true that the default was never changed to not read the file in the Linux-PAM upstream. It was however disputed whether the vulnerability is real as the environment variables are not set into the process environment but only PAM environment which normally does not affect the modules. So the default was kept to 1.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb (You'll never know whether the road is wrong though.)
_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailman_listinfo_pam-2Dlist&d=BQICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=vRtTQEVOC4UMcG21dg2FNw&m=j5s-udEGYbBV9kZighEw2Z1i-Sp56w4JA4YaIQfHSrc&s=lIrNWG6fzud_6IilXbaV5tZZ6-l_OGOj4q6aSHXvQhs&e=
More information about the Pam-list
mailing list