Thanks Tomas, So, keeping default as 1 is safe. And I will continue with DEFAULT_USER_READ_ENVFILE 1 Regards, Amol T -----Original Message----- From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Tomas Mraz Sent: Monday, December 14, 2015 12:29 PM To: Pluggable Authentication Modules Cc: PAM developers Subject: Re: libpam_1.2.1 and CVE-2010-4708 On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote: > Hello, > I was looking in source code of libpam 1.2.1 ( > Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for Security vulnerability issue CVE-2010-4708. > > Should not DEFAULT_USER_READ_ENVFILE be defined as #define > DEFAULT_USER_READ_ENVFILE 1 > > Please suggest if this security issue is fix in different way in > release 1.2.1 Or I still need a patch for CVE-2010-4708 ? Yes, it is true that the default was never changed to not read the file in the Linux-PAM upstream. It was however disputed whether the vulnerability is real as the environment variables are not set into the process environment but only PAM environment which normally does not affect the modules. So the default was kept to 1. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailman_listinfo_pam-2Dlist&d=BQICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=vRtTQEVOC4UMcG21dg2FNw&m=j5s-udEGYbBV9kZighEw2Z1i-Sp56w4JA4YaIQfHSrc&s=lIrNWG6fzud_6IilXbaV5tZZ6-l_OGOj4q6aSHXvQhs&e= _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
