Debian Bug report logs - #599832
CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435

version graph

Package: pam; Maintainer for pam is Steve Langasek <vorlon@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 11 Oct 2010 17:54:05 UTC

Severity: important

Tags: security

Fixed in version pam/1.1.3-1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#599832; Package pam. (Mon, 11 Oct 2010 17:54:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>. (Mon, 11 Oct 2010 17:54:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435
Date: Mon, 11 Oct 2010 19:52:13 +0200
Package: pam
Severity: grave
Tags: security

Hi,
four security issues have been reported against pam:

Originally reported via a thread on oss-security:
http://thread.gmane.org/gmane.comp.security.oss.general/3311/focus=3534

More verbose information and links to patches can be found
in the Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3316
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3430
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3431
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3435

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#599832; Package pam. (Tue, 12 Oct 2010 14:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Tue, 12 Oct 2010 14:21:07 GMT) Full text and rfc822 format available.

Message #10 received at 599832@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 599832@bugs.debian.org
Subject: Re: Bug#599832: CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435
Date: Mon, 11 Oct 2010 12:17:42 -0700
[Message part 1 (text/plain, inline)]
severity 599832 important
thanks

On Mon, Oct 11, 2010 at 07:52:13PM +0200, Moritz Muehlenhoff wrote:
> Package: pam
> Severity: grave
> Tags: security

> Hi,
> four security issues have been reported against pam:

> Originally reported via a thread on oss-security:
> http://thread.gmane.org/gmane.comp.security.oss.general/3311/focus=3534

> More verbose information and links to patches can be found
> in the Red Hat bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3316

"It is not believed to be exploitable on current kernels, at least not via
RLIMIT_NPROC [4]."

> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3430
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3431

"Older PAM versions do to contain affected privilege dropping code and hence
can not be affected by these issues.  The are affected by the original issue
- CVE-2010-3435."

> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3435

"This flaw can lead to information disclosure."

I fail to see why any of these issues would be considered grave.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Severity set to 'important' from 'grave' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 12 Oct 2010 14:21:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#599832; Package pam. (Wed, 01 Dec 2010 01:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jakub Wilk <jwilk@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 01 Dec 2010 01:39:03 GMT) Full text and rfc822 format available.

Message #17 received at 599832@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 599832@bugs.debian.org
Subject: Re: Bug#599832: CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435
Date: Wed, 1 Dec 2010 02:36:49 +0100
[Message part 1 (text/plain, inline)]
* Steve Langasek <vorlon@debian.org>, 2010-10-11, 12:17:
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3435
>
>"This flaw can lead to information disclosure."

"User can exploit this flaw by symliking ~/.pam_environment to some 
other file that should be read by pam_env with root privileges and log 
in to the system. Lines of the file that have expected KEY=VALUE form 
are made available to user via environment. [...] Possible targets are
shell scripts with hard-coded passwords (e.g. various backup scripts), 
or various INI file format configuration files (such as MySQL's my.cnf, 
that can contain database password; however, pam_env does not tolerate 
spaces around '=', which may be allowed in those INI files)."

This one does sound grave to me.

-- 
Jakub Wilk
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#599832; Package pam. (Wed, 16 Mar 2011 15:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arne Wichmann <aw@anhrefn.saar.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 16 Mar 2011 15:09:03 GMT) Full text and rfc822 format available.

Message #22 received at 599832@bugs.debian.org (full text, mbox):

From: Arne Wichmann <aw@anhrefn.saar.de>
To: 599832@bugs.debian.org
Subject: CVE-2010-3435 & co
Date: Wed, 16 Mar 2011 15:57:43 +0100
[Message part 1 (text/plain, inline)]
Hi,

is there anything happening here? This bug is now open for more than five
months, and at least CVE-2010-3435 is not without problems (even though
some workaround is possible).

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#599832; Package pam. (Mon, 30 May 2011 20:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Renner <michael.renner@amd.co.at>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 30 May 2011 20:54:03 GMT) Full text and rfc822 format available.

Message #27 received at 599832@bugs.debian.org (full text, mbox):

From: Michael Renner <michael.renner@amd.co.at>
To: 599832@bugs.debian.org
Subject: A PoC attack vector
Date: Mon, 30 May 2011 22:50:00 +0200
[Message part 1 (text/plain, inline)]
Hi,

while not overly troublesome (relying on unencrypted private key files) here's a documented attack vector for this vulnerability: http://7bits.nl/projects/pamenv-dsakeys/pamenv-dsakeys.html.

It's rather bad style to not have a fix for this in Debian.

best,
Michael
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#599832; Package pam. (Mon, 30 May 2011 22:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 30 May 2011 22:51:03 GMT) Full text and rfc822 format available.

Message #32 received at 599832@bugs.debian.org (full text, mbox):

From: paul.szabo@sydney.edu.au
To: 599832@bugs.debian.org
Subject: CVE-2010-3435 gets password in lilo.conf, secret in named.conf
Date: Tue, 31 May 2011 08:42:47 +1000
Seems to me that this bug may allow users to determine:
  password in /etc/lilo.conf
  secret in /etc/bind/named.conf /etc/bind/rndc.conf /etc/bind/rndc.key
  bits of /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key
which should all be protected.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Added tag(s) pending. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sat, 04 Jun 2011 09:24:10 GMT) Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. (Sat, 04 Jun 2011 20:57:05 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sat, 04 Jun 2011 20:57:05 GMT) Full text and rfc822 format available.

Message #39 received at 599832-close@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 599832-close@bugs.debian.org
Subject: Bug#599832: fixed in pam 1.1.3-1
Date: Sat, 04 Jun 2011 20:54:18 +0000
Source: pam
Source-Version: 1.1.3-1

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_1.1.3-1_amd64.deb
  to main/p/pam/libpam-cracklib_1.1.3-1_amd64.deb
libpam-doc_1.1.3-1_all.deb
  to main/p/pam/libpam-doc_1.1.3-1_all.deb
libpam-modules_1.1.3-1_amd64.deb
  to main/p/pam/libpam-modules_1.1.3-1_amd64.deb
libpam-runtime_1.1.3-1_all.deb
  to main/p/pam/libpam-runtime_1.1.3-1_all.deb
libpam0g-dev_1.1.3-1_amd64.deb
  to main/p/pam/libpam0g-dev_1.1.3-1_amd64.deb
libpam0g_1.1.3-1_amd64.deb
  to main/p/pam/libpam0g_1.1.3-1_amd64.deb
pam_1.1.3-1.diff.gz
  to main/p/pam/pam_1.1.3-1.diff.gz
pam_1.1.3-1.dsc
  to main/p/pam/pam_1.1.3-1.dsc
pam_1.1.3.orig.tar.gz
  to main/p/pam/pam_1.1.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599832@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 04 Jun 2011 03:10:50 -0700
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source amd64 all
Version: 1.1.3-1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 599832 602902 608273
Changes: 
 pam (1.1.3-1) unstable; urgency=low
 .
   * New upstream release.
     - Fixes CVE-2010-3853, executing namespace.init with an insecure
       environment set by the caller.  Closes: #608273.
     - Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435.
       Closes: #599832.
   * Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv
     interface; now possibly upstreamable
   * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
     set a better default RLIMIT_MEMLOCK value for BSD kernels.  Thanks to
     Petr Salinger for the fix.  Closes: #602902.
   * bump the minimum version check in maintainer scripts for the restart
     handling.
Checksums-Sha1: 
 0ce9837dfdec246b50cb1d15d770354f50567be0 2109 pam_1.1.3-1.dsc
 897acdce243c6c6afeee7d3a4f351e3e891eff44 1768872 pam_1.1.3.orig.tar.gz
 706cd5267b217b3630e12cedbc9e94e2a95dc18e 269674 pam_1.1.3-1.diff.gz
 e956e9f8152fa55dfccc32b1c8a416a745412ade 121884 libpam0g_1.1.3-1_amd64.deb
 989cac783c8ff4c7c9030edda82a599435528b89 375442 libpam-modules_1.1.3-1_amd64.deb
 3bbeffb390d897837132d5ce3abcaa3f5aa3f145 223050 libpam-runtime_1.1.3-1_all.deb
 ab70b8b64e356ff3d97fbcbdf836f3db499c716b 188594 libpam0g-dev_1.1.3-1_amd64.deb
 0011192c68efc661ecf13efae11b26ba9d380473 81740 libpam-cracklib_1.1.3-1_amd64.deb
 6f60ed3f014ec13ff01c381dda6630efbda04db8 320804 libpam-doc_1.1.3-1_all.deb
Checksums-Sha256: 
 3aaeb8f093f78a36d94ab9c04ff92dddd0380be2d3a704ce3be8fa63c19d7af1 2109 pam_1.1.3-1.dsc
 a5bff0a161aeb6c0857fd441ff984749a8b208ad50b8d1f117058a6301741a0f 1768872 pam_1.1.3.orig.tar.gz
 218bad6ebb8b328937a6f91d1850ba39c75bc4ed24e48b01fc5210199fc9f463 269674 pam_1.1.3-1.diff.gz
 376ceca2ef2dab913bf25c0e9c116bb2fd3b2f17fd8685153a7c444cc00a2276 121884 libpam0g_1.1.3-1_amd64.deb
 b599ca1d0904958ae41591bbd3404a1a07f7d68ece8a118b4a0dd28396a6379d 375442 libpam-modules_1.1.3-1_amd64.deb
 c323ed802d8aff469aab6efbd9f2190e52109ef48233dfc30b1ed8176ddad4f0 223050 libpam-runtime_1.1.3-1_all.deb
 a7708730e62c49e4f85f53ee54c4890e8cf1544a648dd9cbfac5f043f7800ce2 188594 libpam0g-dev_1.1.3-1_amd64.deb
 7553c3fb03efe9e9611d336c8c7a03718fc92cd3c18eab0945d14d374ba540bb 81740 libpam-cracklib_1.1.3-1_amd64.deb
 0d68e169bf832d4dbfbbbe7b11b96c025f605da438eacfb185c9c8463d2371a3 320804 libpam-doc_1.1.3-1_all.deb
Files: 
 4d73edee202991161f29329a2ce5a600 2109 libs optional pam_1.1.3-1.dsc
 9a977619848cfed372d9b361e328ec99 1768872 libs optional pam_1.1.3.orig.tar.gz
 a02dd1f1709f7f40741c48320fd739ba 269674 libs optional pam_1.1.3-1.diff.gz
 9cb43d674e04cb053cd852851938ecc6 121884 libs required libpam0g_1.1.3-1_amd64.deb
 aa9a10bfb82f140ee528b3f60b136db6 375442 admin required libpam-modules_1.1.3-1_amd64.deb
 1f89c650cc8c0ed8c6d1dd1d1a051302 223050 admin required libpam-runtime_1.1.3-1_all.deb
 ada05de3a36c5c76a343c8d2d1664f17 188594 libdevel optional libpam0g-dev_1.1.3-1_amd64.deb
 ed6bb94851e7faf4dd2e28c3dbd9d222 81740 admin optional libpam-cracklib_1.1.3-1_amd64.deb
 78e8df2d3b0d15fe38b734cb51b34c44 320804 doc optional libpam-doc_1.1.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBTeqV+laNMPMhshM9AQiRRhAAg1xEkudmk0cJCnYp33AmhR1qQ94V093k
/+1YPktAWO03d8Nf0tI/3FiWrPCaTDySEXL8BkxKiu398PRX4o8az6miBEnbLLQd
lssofCEORL2gepJFp1YCnkx4E7CgpXv7c/JC/2/99d9s/S05RCG3fyTLqA2+x13w
LzuFRESf+3jW1ISHQKHRp52RMz9+o/reanv50m6z2jZv9KddIU08Lrc8g2uvRTFy
u10F8423SeVz72gV3Ckb/rlYwlvBp0RceVzfkJ/K+y6X0LPpAz0IGkoUmbobgDCp
J2JshDVLWOwO7uAfls2W4keQi/VVw1bbmjQJdW41nvPyRos5xjUXqQ40WcO5G6hg
jI1hV+XbmXAx6b5fOQHIB7bg9sbY0hSop+87uyaHyPfvIZHQgyjtVaWb05857xmq
srCvfl6e23ImxaE48+O0amXVBa9Lc4BWSqhN26ux7rdO/bYiiqKnAfiGe3EZ4swb
7+CDBZvzmL9JOH062kgm+VxyCYqnJgA90ZklPWg+DiBAoAuy8litzTXpKGGCqhX+
6MGyGPoXm2RfAou4M1kFS+veEmJ16EiIqiMR25D5nyY93ZYgCGlu3l16CJOjRIT5
37BckA+41WTq4AsGiYJyxvDyOEYJO6qr2p8+rDvV0NthxrdEmcFczAA+b3FadyBk
mlqFpgQPVMs=
=KYgw
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 01 Aug 2011 07:35:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:47:51 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.