Summary: An attacker could cause PAM to read or delete arbitrary files or cause it to crash. Software Description: - pam: Pluggable Authentication Modules Details: Marcus Granado discovered that PAM incorrectly handled configuration files with non-ASCII usernames. A remote attacker could use this flaw to cause a denial of service, or possibly obtain login access with a different users username. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-0887) It was discovered that the PAM pam_xauth, pam_env and pam_mail modules incorrectly handled dropping privileges when performing operations. A local attacker could use this flaw to read certain arbitrary files, and access other sensitive information. (CVE-2010-3316, CVE-2010-3430, CVE-2010-3431, CVE-2010-3435) It was discovered that the PAM pam_namespace module incorrectly cleaned the environment during execution of the namespace.init script. A local attacker could use this flaw to possibly gain privileges. (CVE-2010-3853) It was discovered that the PAM pam_xauth module incorrectly handled certain failures. A local attacker could use this flaw to delete certain unintended files. (CVE-2010-4706) It was discovered that the PAM pam_xauth module incorrectly verified certain file properties. A local attacker could use this flaw to cause a denial of service. (CVE-2010-4707) Update instructions: The problem can be corrected by updating your system.
CC: (none) => mageia, mageia, pterjan
CVE-2009-0887 is for pam <= 1.0.3 CVE-2010-3316 is for pam < 1.1.2 CVE-2010-3430 is for pam = 1.1.2 CVE-2010-3431 is for pam = 1.1.2 CVE-2010-3435 is for pam < 1.1.2 CVE-2010-3853 is for pam < 1.1.3 CVE-2010-4706 is for pam <= 1.1.2 CVE-2010-4707 is for pam <= 1.1.2 Mageia 1 was released with pam 1.1.3
Status: NEW => RESOLVEDResolution: (none) => INVALID