LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Ubuntu alert USN-1237-1 (pam)



From:
    	      Marc Deslauriers <marc.deslauriers@canonical.com> 


To:
    	      ubuntu-security-announce@lists.ubuntu.com 


Subject:
    	      [USN-1237-1] PAM vulnerabilities 


Date:
    	      Mon, 24 Oct 2011 15:17:02 -0400


Message-ID:
    	      <1319483822.11244.4.camel@mdlinux>


Archive-link:
    	      Article, Thread
              


==========================================================================
Ubuntu Security Notice USN-1237-1
October 24, 2011

pam vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

PAM could be made to crash or run programs as an administrator.

Software Description:
- pam: Pluggable Authentication Modules

Details:

Kees Cook discovered that the PAM pam_env module incorrectly handled
certain malformed environment files. A local attacker could use this flaw
to cause a denial of service, or possibly gain privileges. The default
compiler options for affected releases should reduce the vulnerability to a
denial of service. (CVE-2011-3148)

Kees Cook discovered that the PAM pam_env module incorrectly handled
variable expansion. A local attacker could use this flaw to cause a denial
of service. (CVE-2011-3149)

Stephane Chazelas discovered that the PAM pam_motd module incorrectly
cleaned the environment during execution of the motd scripts. In certain
environments, a local attacker could use this to execute arbitrary code
as root, and gain privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
  libpam-modules                  1.1.3-2ubuntu2.1

Ubuntu 11.04:
  libpam-modules                  1.1.2-2ubuntu8.4

Ubuntu 10.10:
  libpam-modules                  1.1.1-4ubuntu2.4

Ubuntu 10.04 LTS:
  libpam-modules                  1.1.1-2ubuntu5.4

Ubuntu 8.04 LTS:
  libpam-modules                  0.99.7.1-5ubuntu6.5

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1237-1
  CVE-2011-3148, CVE-2011-3149, CVE-2011-3628

Package Information:
  https://launchpad.net/ubuntu/+source/pam/1.1.3-2ubuntu2.1
  https://launchpad.net/ubuntu/+source/pam/1.1.2-2ubuntu8.4
  https://launchpad.net/ubuntu/+source/pam/1.1.1-4ubuntu2.4
  https://launchpad.net/ubuntu/+source/pam/1.1.1-2ubuntu5.4
  https://launchpad.net/ubuntu/+source/pam/0.99.7.1-5ubuntu6.5


-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds