PublicDateAtUSN: 2009-02-13
Candidate: CVE-2009-0361
PublicDate: 2009-02-13 17:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0361
 https://ubuntu.com/security/notices/USN-719-1
Description:
 Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris
 10, and other software, does not properly handle calls to pam_setcred when
 running setuid, which allows local users to overwrite and change the
 ownership of arbitrary files by setting the KRB5CCNAME environment
 variable, and then launching a setuid application that performs certain
 pam_setcred operations.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_libpam-heimdal:
upstream_libpam-heimdal: released (3.10-2.1)
dapper_libpam-heimdal: ignored (reached end-of-life)
gutsy_libpam-heimdal: needs-triage (reached end-of-life)
hardy_libpam-heimdal: ignored (reached end-of-life)
intrepid_libpam-heimdal: needed (reached end-of-life)
jaunty_libpam-heimdal: not-affected (3.10-2.1ubuntu1)
karmic_libpam-heimdal: not-affected (3.10-2.1ubuntu1)
lucid_libpam-heimdal: not-affected (3.15-2ubuntu1)
maverick_libpam-heimdal: not-affected (3.15-2ubuntu1)
natty_libpam-heimdal: not-affected (3.15-2ubuntu1)
oneiric_libpam-heimdal: DNE (pulled 2010-07-27)
devel_libpam-heimdal: DNE (pulled 2010-07-27)

Patches_libpam-krb5:
upstream_libpam-krb5: released (3.11-4)
dapper_libpam-krb5: ignored (reached end-of-life)
gutsy_libpam-krb5: needed (reached end-of-life)
hardy_libpam-krb5: released (3.10-1ubuntu0.8.04.1)
intrepid_libpam-krb5: released (3.10-1ubuntu0.8.10.1)
jaunty_libpam-krb5: released (3.11-4ubuntu1)
karmic_libpam-krb5: released (3.11-4ubuntu1)
lucid_libpam-krb5: released (3.11-4ubuntu1)
maverick_libpam-krb5: released (3.11-4ubuntu1)
natty_libpam-krb5: released (3.11-4ubuntu1)
oneiric_libpam-krb5: released (3.11-4ubuntu1)
devel_libpam-krb5: released (3.11-4ubuntu1)