CVE-2010-4708: pam_env reads env variables from user file by default

Debian Bug report logs - #611136
CVE-2010-4708: pam_env reads env variables from user file by default

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-4708

Date: Tue, 25 Jan 2011 22:40:59 +0100

Package: pam
Severity: important
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4708 
for the description and links to patches.

Cheers,
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 611136@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 611136@bugs.debian.org

Subject: Re: Bug#611136: CVE-2010-4708

Date: Tue, 25 Jan 2011 23:08:14 +0100

On Tue, Jan 25, 2011 at 10:40:59PM +0100, Moritz Muehlenhoff wrote:
> Package: pam
> Severity: important
> Tags: security
> 
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4708 
> for the description and links to patches.

There's two more:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4707 
 
Cheers,
        Moritz

Message #15 received at 611136@bugs.debian.org (full text, mbox, reply):

From: Arne Wichmann <aw@anhrefn.saar.de>

To: 611136@bugs.debian.org

Subject: CVE-2010-4706 & CVE-2010-4707

Date: Wed, 16 Mar 2011 16:41:14 +0100

[Message part 1 (text/plain, inline)]

Am I mistaken or is pam_xauth not used in Debian? This might mean that
CVE-2010-4707 and CVE-2010-4706 do not affect Debian.

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 611136@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Arne Wichmann <aw@anhrefn.saar.de>, 611136@bugs.debian.org

Subject: Re: Bug#611136: CVE-2010-4706 & CVE-2010-4707

Date: Wed, 16 Mar 2011 22:17:22 -0700

[Message part 1 (text/plain, inline)]

On Wed, Mar 16, 2011 at 04:41:14PM +0100, Arne Wichmann wrote:
> Am I mistaken or is pam_xauth not used in Debian? This might mean that
> CVE-2010-4707 and CVE-2010-4706 do not affect Debian.

It is not used by default.  It is still included in the package and users
may configure their systems to use it.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 611136@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 611136@bugs.debian.org, control <control@bugs.debian.org>

Subject: re: cve-2010-4708

Date: Sun, 29 Apr 2012 02:40:20 -0400

[Message part 1 (text/plain, inline)]

tag 611136 patch
thanks

Hi,

I've uploaded an NMU fixing this issue to delayed/5.  Please let me
know if I should delay differently.  Attached is the patch.

Best wishes,
Mike

[pam.patch (application/octet-stream, attachment)]

Message #38 received at 611136@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 611136@bugs.debian.org

Subject: Re: cve-2010-4708

Date: Sun, 29 Apr 2012 11:59:49 -0400

[Message part 1 (text/plain, inline)]

On Sun, Apr 29, 2012 at 2:40 AM, Michael Gilbert wrote:
> tag 611136 patch
> thanks
>
> Hi,
>
> I've uploaded an NMU fixing this issue to delayed/5.  Please let me
> know if I should delay differently.  Attached is the patch.

I should have made use of the package's patch system.  I've canceled
the original upload and done a new one.  New patch attached.

Best wishes,
Mike

[pam.patch (application/octet-stream, attachment)]

Message #43 received at 611136-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 611136-close@bugs.debian.org

Subject: Bug#611136: fixed in pam 1.1.3-7.1

Date: Fri, 04 May 2012 16:19:22 +0000

Source: pam
Source-Version: 1.1.3-7.1

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_1.1.3-7.1_amd64.deb
  to main/p/pam/libpam-cracklib_1.1.3-7.1_amd64.deb
libpam-doc_1.1.3-7.1_all.deb
  to main/p/pam/libpam-doc_1.1.3-7.1_all.deb
libpam-modules-bin_1.1.3-7.1_amd64.deb
  to main/p/pam/libpam-modules-bin_1.1.3-7.1_amd64.deb
libpam-modules_1.1.3-7.1_amd64.deb
  to main/p/pam/libpam-modules_1.1.3-7.1_amd64.deb
libpam-runtime_1.1.3-7.1_all.deb
  to main/p/pam/libpam-runtime_1.1.3-7.1_all.deb
libpam0g-dev_1.1.3-7.1_amd64.deb
  to main/p/pam/libpam0g-dev_1.1.3-7.1_amd64.deb
libpam0g_1.1.3-7.1_amd64.deb
  to main/p/pam/libpam0g_1.1.3-7.1_amd64.deb
pam_1.1.3-7.1.diff.gz
  to main/p/pam/pam_1.1.3-7.1.diff.gz
pam_1.1.3-7.1.dsc
  to main/p/pam/pam_1.1.3-7.1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611136@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 29 Apr 2012 02:23:26 -0400
Source: pam
Binary: libpam0g libpam-modules libpam-modules-bin libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source amd64 all
Version: 1.1.3-7.1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-modules-bin - Pluggable Authentication Modules for PAM - helper binaries
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 611136
Changes: 
 pam (1.1.3-7.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix cve-2011-4708: user-configurable .pam_environment allows
     administrator-level changes without root access (closes: #611136).
Checksums-Sha1: 
 9b81808f430f321f4d3f70f4b2fb54e41d22a72b 3095 pam_1.1.3-7.1.dsc
 7d7676198107d4cfb61910376826c06cc830c0c2 273542 pam_1.1.3-7.1.diff.gz
 acb48a74c721c4c60341a72e1d7631e5110e228e 127508 libpam0g_1.1.3-7.1_amd64.deb
 40cc1453e2d78301c5f9dc63ee4460681726d731 348252 libpam-modules_1.1.3-7.1_amd64.deb
 c47fcd91e12d038ceb2da5fccc8a6f820780ff3a 112602 libpam-modules-bin_1.1.3-7.1_amd64.deb
 05b4d5dfad3add213b5c20059daab496f3ca124a 227884 libpam-runtime_1.1.3-7.1_all.deb
 c520adad8f1de790a971df828e5107ad10418e8d 191250 libpam0g-dev_1.1.3-7.1_amd64.deb
 653b2a543f60a3e9fbed1063294a5ad646ff7678 83682 libpam-cracklib_1.1.3-7.1_amd64.deb
 ede7307788d0ef5d5d39120439bf8eb7097e8445 322824 libpam-doc_1.1.3-7.1_all.deb
Checksums-Sha256: 
 5476d5bbcd568c26c28cc64d3b8ff9f0fdcb0f07e307bd7af73303867c037f6f 3095 pam_1.1.3-7.1.dsc
 0674e550823033afd3293a4a0e4a9b1d1d4724bd9f150d4a7096e4d9eb4546d2 273542 pam_1.1.3-7.1.diff.gz
 67f027190f59ec1544f24806209d98e7ee0ae4ed7f1d01fcaea5243067c4949c 127508 libpam0g_1.1.3-7.1_amd64.deb
 1c84a6bd9c3c0d23313b5bc9ee2cee6b3a70d0235b8237a36d819a8100e320e8 348252 libpam-modules_1.1.3-7.1_amd64.deb
 6d0ebb8e58d6b3769640e695d28da03a3c0ce15c6e9a5fb5c190c1402ac189f6 112602 libpam-modules-bin_1.1.3-7.1_amd64.deb
 be1441db81342c7a86fa4d7c6593e15d3c6195e51518d4dec33a3adf034f7595 227884 libpam-runtime_1.1.3-7.1_all.deb
 895f73587e53aa5aae656320b8523875da62ebada222ea094bf193476c7d3341 191250 libpam0g-dev_1.1.3-7.1_amd64.deb
 61a0f85f00ece830526662362cd95e257dad9637697de64e5e370a9bb636f16d 83682 libpam-cracklib_1.1.3-7.1_amd64.deb
 883ff8029faaf1f22e767fcb103e19d44ce685b70b9e9aa9747e02abfc3807e7 322824 libpam-doc_1.1.3-7.1_all.deb
Files: 
 d84d66d90c4bb4eff33cb3cb283cf93d 3095 libs optional pam_1.1.3-7.1.dsc
 d13809ed34be9515235faa2089ba6267 273542 libs optional pam_1.1.3-7.1.diff.gz
 7c117957c3bc05aa9f6700f636df8b5f 127508 libs required libpam0g_1.1.3-7.1_amd64.deb
 09a702817e7af6ff9a5cf4b282058e92 348252 admin required libpam-modules_1.1.3-7.1_amd64.deb
 9d67dba4f3d0ca08a0f591f92414418f 112602 admin required libpam-modules-bin_1.1.3-7.1_amd64.deb
 46d82a2056e838767d5137efa927372d 227884 admin required libpam-runtime_1.1.3-7.1_all.deb
 0c35fd4e1d81a2b4ef18dc000513bd3d 191250 libdevel optional libpam0g-dev_1.1.3-7.1_amd64.deb
 298d76f0de0f94416da0da85459bc33e 83682 admin optional libpam-cracklib_1.1.3-7.1_amd64.deb
 6dafb7e459cfc53beb8896a9ce545969 322824 doc optional libpam-doc_1.1.3-7.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJPnWHbAAoJELjWss0C1vRzxoggAJBWdax0OJSXeKu5epieC7s6
J6DG/BQMLeGiQAPiNnvejqWMzdQEFyq3btCNJq94Bw3EHAPI4q/78tkuS5f4ZZUh
oOHLBroQR11eVsjM1FOR8WzEIj/TVWsvhI2Ue+txBZ2VbP+qT7yChDa0hCT+VGJ4
xXSY7Muo74ewTxaXmr3J21gAHWx33/hX9s+nYEp+MC29lOgSS2+rxkevflBUcOCQ
ZoTncwAmH7qD61dvJEU/7XeYm5WPCddG7EDgKOoCTnUfAxw/928h59P6EfN0+JN1
PM/vTg12XddfC2ZboLkIDGz3QrW4Y2wKgmpJHdZpDPsEx5jyg94p+8u9ssgUWgVQ
/UdQA3hyOKZJIkH66Sb+bsiaOb8LTFq8CTiMaDfqrsz+j/GcBtnEINfxrEB1ffMp
lULX3j7U0tfYZUvsvV81V7U/yYq7Ix8YndiNr9SLfCwN3gGPFkOrltRhEoQvU3LN
MqXP8K/l/4oXtKV+RcHoMi8oKAxEcraC7IEEmvqNn+Il7wMDfzL3NSjBBF0dgQLN
de1Ae6t+yh/4fZ2ZbUssAtHWoqnmA0adtw9mv1IkC6Oww0lLGC35OR7Xnovd0keW
k3mDqT4U060jO6rsrtvD+69gyYCO6lel24SGV66acAVEzJCPlFxKwpbldZKneBby
Y3Ww9UkvU40BOsBau19bQSRraY990W4rnBzuwlZMDORGbpXPpYztvu729OcZ6YhV
UuZsvJocW9xlFPO6iu+9IVn7Q2WfTrCmUTokq2CcDdFfqoPnLViSrtsqG/1Xz13o
Xlt/ON+oharzYTdkgGoR+zqf/fSL21jag+7qru3lFzuyyXf7+OVoVI0ZfeH/koMq
7xqZJaLJ8wjA2ECqS7WLIiEOcg+dGrV6ilc+X75nQ0pzbRnuztl0XisbIG0pAA2M
ZjlTWX8qwWfPiqLUXnwWCExZtX5sgvhlZVZamCks7jR14Z3HaPQJSTLztjvUcTm/
6vZCYCZIu08vWyGbVJ56SI2t1BIht2N+hj/ppWanSIMd3R56BfNQNQQMOV72RSAr
HY/1/yX0qhJJkxOTNgCElnrMfetFRD97XJvfUmGAuqMvRYp46qlnxuZioZilw9sF
BhZ3jEoKyVG9Ja14w0J9cpclFDwpsgdD4fLKvz6WiBgO1hW5G/io+9hrme14L3Jk
BhR7HZiJTCcubP33OQ78HuTHFdxnhQ3MUc2AOZTeAmZclZdC2LwDw21aDE2WUKxL
kTHY0g8dLUU70KgZhEzezMxGM+1YS0fhQcXV70vKBgCk0vun2hf3s6OEyEd8g7AS
ZLHGx4PJWtNJB/nL3PveJtoAR0Jkyn/FY9HtkJKHltLAPlW1JOACF2sN4qTB9Bw=
=+ayE
-----END PGP SIGNATURE-----

Message #48 received at 611136@bugs.debian.org (full text, mbox, reply):

From: Josh Triplett <josh@joshtriplett.org>

To: 611136@bugs.debian.org

Subject: Re: Bug#611136 closed by Michael Gilbert <mgilbert@debian.org> (Bug#611136: fixed in pam 1.1.3-7.1)

Date: Fri, 4 May 2012 17:25:52 -0700

On Fri, May 04, 2012 at 04:21:08PM +0000, Debian Bug Tracking System wrote:
>  pam (1.1.3-7.1) unstable; urgency=low
>  .
>    * Non-maintainer upload.
>    * Fix cve-2011-4708: user-configurable .pam_environment allows
>      administrator-level changes without root access (closes: #611136).

Typo: that should say CVE-2010-4708.

- Josh Triplett

Send a report that this bug log contains spam.