CVE-2009-0361
Published: 13 February 2009
Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.
Priority
Status
Package | Release | Status |
---|---|---|
libpam-heimdal Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
gutsy |
Ignored
(end of life, was needs-triage)
|
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Not vulnerable
(3.10-2.1ubuntu1)
|
|
karmic |
Not vulnerable
(3.10-2.1ubuntu1)
|
|
lucid |
Not vulnerable
(3.15-2ubuntu1)
|
|
maverick |
Not vulnerable
(3.15-2ubuntu1)
|
|
natty |
Not vulnerable
(3.15-2ubuntu1)
|
|
oneiric |
Does not exist
(pulled 2010-07-27)
|
|
upstream |
Released
(3.10-2.1)
|
|
libpam-krb5 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Released
(3.10-1ubuntu0.8.04.1)
|
|
intrepid |
Released
(3.10-1ubuntu0.8.10.1)
|
|
jaunty |
Released
(3.11-4ubuntu1)
|
|
karmic |
Released
(3.11-4ubuntu1)
|
|
lucid |
Released
(3.11-4ubuntu1)
|
|
maverick |
Released
(3.11-4ubuntu1)
|
|
natty |
Released
(3.11-4ubuntu1)
|
|
oneiric |
Released
(3.11-4ubuntu1)
|
|
upstream |
Released
(3.11-4)
|