Re: libpam_1.2.1 and CVE-2010-4708

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote:
> Hello,
> I was looking in source code of libpam 1.2.1 ( Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for
> Security vulnerability issue  CVE-2010-4708.
> 
> Should not DEFAULT_USER_READ_ENVFILE  be defined as
> #define DEFAULT_USER_READ_ENVFILE 1
> 
> Please suggest if this security issue is fix in different way in release 1.2.1 Or
> I still need a patch for CVE-2010-4708 ?

Yes, it is true that the default was never changed to not read the file
in the Linux-PAM upstream. It was however disputed whether the
vulnerability is real as the environment variables are not set into the
process environment but only PAM environment which normally does not
affect the modules. So the default was kept to 1.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux