Computer Security
[EN] securityvulns.ru
no-pyccku

  

PAM authentuication modules multiple security vulnerabilities
Published:08.11.2010
Source:BUGTRAQ
SecurityVulns ID:11240
Type:local
Level:5/10
Description:Different vulnerabilities in pam_xauth, pam_mail, pam_namespace modules.
Affected:PAM : pam 1.1
CVE:CVE-2010-3853 (pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.)
 CVE-2010-3435 (The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.)
 CVE-2010-3316 (The run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does not check the return values of the setuid, setgid, and setgroups system calls, which might allow local users to read arbitrary files by executing a program that relies on the pam_xauth PAM check.)
Original documentdocumentMANDRIVA, [ MDVSA-2010:220 ] pam (08.11.2010)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 



Rating@Mail.ru