Debian Bug report logs -
#670076
pam: CVE-2011-3628 - pam_motd does not sanitize environment
Reported by: Arne Wichmann <aw@linux.de>
Date: Sun, 22 Apr 2012 18:57:07 UTC
Severity: normal
Tags: security
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#670076; Package src:pam.
(Sun, 22 Apr 2012 18:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Arne Wichmann <aw@linux.de>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>.
(Sun, 22 Apr 2012 18:57:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pam
Severity: normal
Tags: security
Hi, citing from ubuntu
(https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/comments/0):
> pam_motd calls the scripts in /etc/update-motd.d/ as root without
> sanitising the environment. While that is acceptable when called for
> instance by sshd or by getty through login where the environment should be
> controlled, it becomes an issue if for instance "session optional
> pam_motd.so" is added to /etc/pam.d/su
>
> With that done, a user can simply update his $PATH to look first in a
> directory that contains malicious replacements for commands called by the
> /etc/update-motd.d/ scripts (for instance "uname" called by 00_header).
>
> pam_motd should perform the same kind of sanitisation as pam_exec, or even
> better not do the run-part /etc/update-motd.d/ at all but add some pam_exec
> calls to the pam configuration.
>
> That issue is made worth by the fact that the running of those scripts by
> pam_motd is not documented.
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3628 for
some (well...) information.
cu
AW
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.14 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Sun, 29 Apr 2012 06:24:06 GMT) (full text, mbox, link).
Notification sent
to Arne Wichmann <aw@linux.de>:
Bug acknowledged by developer.
(Sun, 29 Apr 2012 06:24:06 GMT) (full text, mbox, link).
Message #10 received at 670076-close@bugs.debian.org (full text, mbox, reply):
It's not clear which version fixed this, but its present in at least
1.1.3-7. See:
https://bugs.launchpad.net/ubuntu/%2Bsource/pam/%2Bbug/610125
https://launchpadlibrarian.net/82729670/610125.patch
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 May 2012 07:41:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:27:39 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon