Ubuntu 1140-1: PAM vulnerabilities

    Date30 May 2011
    CategoryUbuntu
    45
    Posted ByLinuxSecurity Advisories
    An attacker could cause PAM to read or delete arbitrary files or cause it to crash.
    ==========================================================================
    Ubuntu Security Notice USN-1140-1
    May 30, 2011
    
    pam vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 11.04
    - Ubuntu 10.10
    - Ubuntu 10.04 LTS
    - Ubuntu 8.04 LTS
    
    Summary:
    
    An attacker could cause PAM to read or delete arbitrary files or cause it
    to crash.
    
    Software Description:
    - pam: Pluggable Authentication Modules
    
    Details:
    
    Marcus Granado discovered that PAM incorrectly handled configuration files
    with non-ASCII usernames. A remote attacker could use this flaw to cause a
    denial of service, or possibly obtain login access with a different users
    username. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-0887)
    
    It was discovered that the PAM pam_xauth, pam_env and pam_mail modules
    incorrectly handled dropping privileges when performing operations. A local
    attacker could use this flaw to read certain arbitrary files, and access
    other sensitive information. (CVE-2010-3316, CVE-2010-3430, CVE-2010-3431,
    CVE-2010-3435)
    
    It was discovered that the PAM pam_namespace module incorrectly cleaned the
    environment during execution of the namespace.init script. A local attacker
    could use this flaw to possibly gain privileges. (CVE-2010-3853)
    
    It was discovered that the PAM pam_xauth module incorrectly handled certain
    failures. A local attacker could use this flaw to delete certain unintended
    files. (CVE-2010-4706)
    
    It was discovered that the PAM pam_xauth module incorrectly verified
    certain file properties. A local attacker could use this flaw to cause a
    denial of service. (CVE-2010-4707)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 11.04:
      libpam-modules                  1.1.2-2ubuntu8.2
    
    Ubuntu 10.10:
      libpam-modules                  1.1.1-4ubuntu2.2
    
    Ubuntu 10.04 LTS:
      libpam-modules                  1.1.1-2ubuntu5.2
    
    Ubuntu 8.04 LTS:
      libpam-modules                  0.99.7.1-5ubuntu6.3
    
    In general, a standard system update will make all the necessary changes.
    
    References:
      CVE-2009-0887, CVE-2010-3316, CVE-2010-3430, CVE-2010-3431,
      CVE-2010-3435, CVE-2010-3853, CVE-2010-4706, CVE-2010-4707
    
    Package Information:
      https://launchpad.net/ubuntu/+source/pam/1.1.2-2ubuntu8.2
      https://launchpad.net/ubuntu/+source/pam/1.1.1-4ubuntu2.2
      https://launchpad.net/ubuntu/+source/pam/1.1.1-2ubuntu5.2
      https://launchpad.net/ubuntu/+source/pam/0.99.7.1-5ubuntu6.3
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.