The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before
1.1.2 use root privileges during read access to files and directories that
belong to arbitrary user accounts, which might allow local users to obtain
sensitive information by leveraging this filesystem activity, as
demonstrated by a symlink attack on the .pam_environment file in a user's
home directory.
mdeslaurAll patched below are needed, only two first were included in
1.1.2, and second introduced CVE-2010-3430 and CVE-2010-3431,
which is fixed by second patch.
More Information

Updated: 2019-12-05 20:55:38 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)