CVE-2010-3435

Priority
Medium
Description
The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before
1.1.2 use root privileges during read access to files and directories that
belong to arbitrary user accounts, which might allow local users to obtain
sensitive information by leveraging this filesystem activity, as
demonstrated by a symlink attack on the .pam_environment file in a user's
home directory.
References
Bugs
Notes
 mdeslaur> All patched below are needed, only two first were included in
 mdeslaur> 1.1.2, and second introduced CVE-2010-3430 and CVE-2010-3431,
 mdeslaur> which is fixed by second patch.
Package
Source: pam (LP Ubuntu Debian)
Upstream:released (1.1.2)
Patches:
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=60530da87ddd4ce280fbd5cae182dc7ac3b1a154 (backporting)
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=4e8357e4609be470ee5214be01e2d1d0e688f580 (backporting)
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=ffe7058c70253d574b1963c7c93002bd410fddc9 (CVE-2010-4707)
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=05dafc06cd3dfeb7c4b24942e4e1ae33ff75a123 (CVE-2010-4706)
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=cee7448470a6fe895269c760134dc95d6952d260 (backporting)
Upstream:http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=843807a3a90f52e7538be756616510730a24739a
More Information

Updated: 2017-08-11 23:44:13 UTC (commit 13081)