CVE-2007-1716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1716): pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges.
Pam herd, can you confirm this bug still exists in our version of pam_console?
Created attachment 136004 [details, diff] pam-0.99.7.1-console-decrement.patch Patch applied by RedHat
It has always been the case and it's my main reason for detesting pam_console. Thank you for giving me the excuse^Wreason to get rid of pam_console entirely :)
That is, you advise to mask and last-rite it? There's no use for it anymore?
My advise would be to cvs rm -f it... Yes there is still an use case for it, but it's supposedly going to be covered by consolekit, and there is too much burden with it. I won't maintain pam_console, I said that already, and I doubt there is anyone else right now wanting to maintain it. It's defective by design.
Sounds good, please mask and last-rite then. We'll prepare a mask-glsa as soon as it's on its way.
There's also the problem that ~sys-libs/pam-0.78 still carries pam_console. If you're fine with it I'll remove the keywords for all arches but mips (that hasn't neither ~mipsed nor mipsed 0.99 series - otherwise 0.99 is stable for all arches).
sounds good.
masked, last-rited. and maskglsa filed.
Rerating B4 as the impact is only information leak.
Rerating ~4, this was never stable. Let's wait until it's gone then.
sys-libs/pam-0.78 was stable till a few weeks ago.
Right, since about Oct. 20. GLSA vote for pam now open. I tend to vote no.
ConsoleKit is not a substitute as it requires X
No it does not. And please leave this bug alone if it has nothing to add to security team.
votin no too, and finally closing, sorry for the delay.