Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 199193 (CVE-2007-1716)

Summary: sys-auth/pam_console sys-libs/pam <=0.78 Console devices ownership privilege escalation (CVE-2007-1716)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dkarasik, pam-bugs+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=233581
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
pam-0.99.7.1-console-decrement.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 23:36:35 UTC 
CVE-2007-1716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1716):
  pam_console does not properly restore ownership for certain console devices
  when there are multiple users logged into the console and one user logs out,
  which might allow local users to gain privileges.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 23:38:54 UTC 
Pam herd, can you confirm this bug still exists in our version of pam_console?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 23:39:21 UTC 
Created attachment 136004 [details, diff]
pam-0.99.7.1-console-decrement.patch

Patch applied by RedHat
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-11-15 12:22:05 UTC 
It has always been the case and it's my main reason for detesting pam_console.

Thank you for giving me the excuse^Wreason to get rid of pam_console entirely :)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 12:50:11 UTC 
That is, you advise to mask and last-rite it?

There's no use for it anymore?
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-11-15 12:56:48 UTC 
My advise would be to cvs rm -f it...
Yes there is still an use case for it, but it's supposedly going to be covered by consolekit, and there is too much burden with it. I won't maintain pam_console, I said that already, and I doubt there is anyone else right now wanting to maintain it. It's defective by design.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 13:06:13 UTC 
Sounds good, please mask and last-rite then. We'll prepare a mask-glsa as soon as it's on its way.
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-11-15 13:11:34 UTC 
There's also the problem that ~sys-libs/pam-0.78 still carries pam_console. If you're fine with it I'll remove the keywords for all arches but mips (that hasn't neither ~mipsed nor mipsed 0.99 series - otherwise 0.99 is stable for all arches).
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 16:02:09 UTC 
sounds good.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 22:41:57 UTC 
masked, last-rited. and maskglsa filed.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 00:28:38 UTC 
Rerating B4 as the impact is only information leak.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 00:31:42 UTC 
Rerating ~4, this was never stable. Let's wait until it's gone then.
Comment 12 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-11-16 10:03:02 UTC 
sys-libs/pam-0.78 was stable till a few weeks ago.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 14:13:03 UTC 
Right, since about Oct. 20.

GLSA vote for pam now open. I tend to vote no.
Comment 14 Glynn Clements 2007-11-28 18:04:55 UTC 
ConsoleKit is not a substitute as it requires X
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-11-28 19:31:12 UTC 
No it does not. And please leave this bug alone if it has nothing to add to security team.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-10 21:47:13 UTC 
votin no too, and finally closing, sorry for the delay.