On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote: > Hello, > I was looking in source code of libpam 1.2.1 ( Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for > Security vulnerability issue CVE-2010-4708. > > Should not DEFAULT_USER_READ_ENVFILE be defined as > #define DEFAULT_USER_READ_ENVFILE 1 > > Please suggest if this security issue is fix in different way in release 1.2.1 Or > I still need a patch for CVE-2010-4708 ? Yes, it is true that the default was never changed to not read the file in the Linux-PAM upstream. It was however disputed whether the vulnerability is real as the environment variables are not set into the process environment but only PAM environment which normally does not affect the modules. So the default was kept to 1. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list