Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 580410 (CVE-2015-8325)

Summary: <net-misc/openssh-7.3_p1: ignore PAM environment vars when UseLogin=yes
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system, robbat2, salikov.alexey
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 590202    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-04-18 10:47:41 UTC
From ${URL} :

If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 cronolio 2016-04-24 16:07:57 UTC
i know it is no good place for it... but it is very slowly. we can bump automatically when need only recompile package?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:32:45 UTC
This issue was resolved and addressed in
 GLSA 201612-18 at
by GLSA coordinator Aaron Bauman (b-man).