CVE-2011-3148 : A stack-based buffer overflow flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool parsed content of user's ~/.pam_environment file for additional environment variables (the leading whitespace was not count into the count of bytes, which have been read into the buffer), when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to crash the pam_env module, or, potentially escalate their privileges. Acknowledgements: Red Hat would like to thank Kees Cook of Google ChromeOS Team for reporting this issue. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3148 Upstream patch : http://git.fedorahosted.org/git/?p=linux-pam.git;a=commitdiff;h=caf5e7f61c8d9288daa49b4f61962e6b1239121d CVE-2011-3149 : An infinite loop flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool expanded certain environment variables, when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to cause the pam_env module check to enter the infinite loop and spam system log file of the particular host. Acknowledgements: Red Hat would like to thank Kees Cook of Google ChromeOS Team for reporting this issue. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3149 Upstream patch: http://git.fedorahosted.org/git/?p=linux-pam.git;a=commitdiff;h=109823cb621c900c07c4b6cdc99070d354d19444
As there is no maintainer of this package I add the committers in CC.
CC: (none) => mageia, mageia, pterjan
Ping ?
OK, I'll take this one. Sorry for the delay.
Assignee: bugsquad => mageia
OK, submitted to core/updates_testing for mga1: pam-1.1.3-2.1.mga1 I have also fixed another problem in the pam package (not a security issue) that gave members ot the audio group certain realtime permissions. This is generally not needed for audio applications these days and can cause strange problems with some programs. This issue was covered in Bug #2503 So.... Advisory Text ============= Two security flaws were found and fixed in the pam package shipped with Mageia 1. Additional problems were also found with the default nice/realtime priorities for the audio group. CVE-2011-3148 : A stack-based buffer overflow flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool parsed content of user's ~/.pam_environment file for additional environment variables (the leading whitespace was not counted into the count of bytes, which have been read into the buffer), when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to crash the pam_env module, or, potentially escalate their privileges. Acknowledgements: Mageia would like to thank Kees Cook of Google ChromeOS Team for reporting and Red Hat for their summary of this issue. CVE-2011-3149: An infinite loop flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool expanded certain environment variables, when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to cause the pam_env module check to enter the infinite loop and spam system log file of the particular host. Acknowledgements: Mageia would like to thank Kees Cook of Google ChromeOS Team for reporting and Red Hat for their summary of this issue. Audio Group Limits: Default nice levels and realtime priority was given to users in the audio group. This could cause instability in some cases if users had manually added themselves to the audio group. This patch was added many years ago before PulseAudio which uses rtkit to obtain realtime privileges only in the threads that need it, and also before ACL usage on device node thus requiring users to put themselves into the audio group to work around permission problems. The world has moved on from this place and this patch is now obsolete and so has been dropped.
Assignee: mageia => qa-bugs
There is a package that will have to be linked from Core Release to Core Updates due to bug 2317. The Core Release version of libpam0 requires libdb_nss-4.8.so. The Core Updates Testing version requires libdb_nss-5.1.so as well, which is currently only in Core Release. The package libdbnss5.1 will have to be linked, due to this.
CC: (none) => davidwhodgins
Confirmed with depcheck :) ---------------------------------------- The following packages will require linking: libdbnss5.1-5.1.19-6.mga1 (Core Release) ----------------------------------------
Some testing info for cve-2011-3148 here https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469 I can't test this remotely as if affected it disables ssh login. CVE-2011-3149 testing info here https://bugs.launchpad.net/ubuntu/%2Bsource/pam/%2Bbug/874565 Some info on enabling ~/.pam_environment parsing. If it is required then Mageia is not really affected anyway by default. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3148
Does anyone know which pam config file to update? # grep readenv /etc/security/pam_env.conf user_readenv=1 If the above is the right one, mga 1 does not seem to be susceptible. Btw, for testing, I ssh to a remote system, and then ssh back to my local system, so that I can fix the local system, if it is susceptible.
As this is a security update, and I haven't been able to recreate the problem, and the default mageia config doesn't seem to be affected, I think simply testing that the programs work will have to be sufficient. As I can ssh from/to the system with the updates installed, I consider testing on i586 complete for the srpm pam-1.1.3-2.1.mga1.src.rpm
X86-64 testing still required. Reminder that libdbnss5.1 will have to be linked from Core Release to Core Updates, when pushed.
Testing complete on x86_64, update validated Could someone from sysadmin please push pam-1.1.3-2.1.mga1.src.rpm from Updates_Testing to Updates and link libdbnss5.1-5.1.19-6.mga1 to Updates As per comment 4 Advisory Text ============= Two security flaws were found and fixed in the pam package shipped with Mageia 1. Additional problems were also found with the default nice/realtime priorities for the audio group. CVE-2011-3148 : A stack-based buffer overflow flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool parsed content of user's ~/.pam_environment file for additional environment variables (the leading whitespace was not counted into the count of bytes, which have been read into the buffer), when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to crash the pam_env module, or, potentially escalate their privileges. Acknowledgements: Mageia would like to thank Kees Cook of Google ChromeOS Team for reporting and Red Hat for their summary of this issue. CVE-2011-3149: An infinite loop flaw was found in the way the pam_env module of PAM (Pluggable Authentication Modules) security tool expanded certain environment variables, when both pam_env module and reading of the user specific environment file were enabled. A local attacker could use this flaw to cause the pam_env module check to enter the infinite loop and spam system log file of the particular host. Acknowledgements: Mageia would like to thank Kees Cook of Google ChromeOS Team for reporting and Red Hat for their summary of this issue. Audio Group Limits: Default nice levels and realtime priority was given to users in the audio group. This could cause instability in some cases if users had manually added themselves to the audio group. This patch was added many years ago before PulseAudio which uses rtkit to obtain realtime privileges only in the threads that need it, and also before ACL usage on device node thus requiring users to put themselves into the audio group to work around permission problems. The world has moved on from this place and this patch is now obsolete and so has been dropped.
Keywords: (none) => validated_updateCC: (none) => derekjenn, sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED