RE: libpam_1.2.1 and CVE-2010-4708

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Thanks Tomas,
So, keeping default as 1 is safe. 
And I will continue with 


Amol T

-----Original Message-----
From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Mraz
Sent: Monday, December 14, 2015 12:29 PM
To: Pluggable Authentication Modules
Cc: PAM developers
Subject: Re: libpam_1.2.1 and CVE-2010-4708

On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote:
> Hello,
> I was looking in source code of libpam 1.2.1 ( 
> Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for Security vulnerability issue  CVE-2010-4708.
> Should not DEFAULT_USER_READ_ENVFILE  be defined as #define 
> Please suggest if this security issue is fix in different way in 
> release 1.2.1 Or I still need a patch for CVE-2010-4708 ?

Yes, it is true that the default was never changed to not read the file in the Linux-PAM upstream. It was however disputed whether the vulnerability is real as the environment variables are not set into the process environment but only PAM environment which normally does not affect the modules. So the default was kept to 1.

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb (You'll never know whether the road is wrong though.)

Pam-list mailing list

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux