Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 326953 - <sys-auth/pam_krb5-4.3: Multiple vulnerabilities (CVE-2009-{0360,0361})
Summary: <sys-auth/pam_krb5-4.3: Multiple vulnerabilities (CVE-2009-{0360,0361})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.eyrie.org/~eagle/software/...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-05 07:58 UTC by Eray Aslan
Modified: 2014-12-12 00:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eray Aslan gentoo-dev 2010-07-05 07:58:17 UTC
CVE-2009-0360
    When linked with MIT Kerberos, pam-krb5 did not use the correct API for initializing the Kerberos libraries in a setuid context. This meant the MIT Kerberos libraries would trust environmental variables to locate the Kerberos configuration. An attacker could exploit this to bypass authentication checks in setuid applications using PAM for authentication, resulting in privilege escalation. This vulnerability was not present if pam-krb5 was linked with the Heimdal Kerberos implementation. 

CVE-2009-0361
    pam_setcred with PAM_REINITIALIZE_CREDS or PAM_REFRESH_CREDS is used to refresh existing credentials for a user, such as when releasing a locked screen. It therefore honors the existing KRB5CCNAME environment variable to locate the existing Kerberos credential cache. This means, however, that if those APIs were called by a setuid application without first calling PAM_ESTABLISH_CREDS or dropping privileges, pam-krb5 may overwrite and chown the file specified by KRB5CCNAME to an attacker. This PAM calling sequence is unusual, but it's known to be used by Solaris 10 su. pam-krb5 3.13 and later will log an error message and return success without taking any action when a program attempts to reinitialize credentials in a setuid context. 

sys-auth/pam_krb5-4.2 is in the tree since May 21st with no bugs against it.  Please stabilize.

Reproducible: Always
Comment 1 Eray Aslan gentoo-dev 2010-07-23 16:32:53 UTC
Please stabilize sys-auth/pam_krb5-4.3 since pam_krb5-4.2 is not longer in the tree.  From the changelog:

23 Jul 2010; Diego E. Pettenò <flameeyes@gentoo.org>
-pam_krb5-3.13.ebuild, -pam_krb5-4.2.ebuild:
Remove older versions.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-12 08:45:57 UTC
Green light from me.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-17 19:28:19 UTC
Arches, please test and mark stable:
=sys-auth/pam_krb5-4.3
Target keywords : "amd64 ppc sparc x86"
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-18 02:54:16 UTC
x86 stable
Comment 5 Eray Aslan gentoo-dev 2010-08-18 07:41:48 UTC
I think we are missing arm and sh arches from stable request:

From the pam_krb5 changelog:
15 Aug 2010; Raúl Porcel <armin76@gentoo.org> pam_krb5-4.3.ebuild:
   Add ~sh
02 Aug 2010; Markus Meier <maekke@gentoo.org> pam_krb5-4.3.ebuild:
   add ~arm, bug #329585
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-08-18 14:31:40 UTC
amd64 done
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-18 15:19:22 UTC
(In reply to comment #5)
> I think we are missing arm and sh arches from stable request:
> 

The package was never stable there. If you want it stable on these arches, file a regular stablereq.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-08-28 16:41:33 UTC
sparc stable
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2010-09-12 04:17:30 UTC
Marked ppc stable.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-10-15 15:03:22 UTC
GLSA vote: YES
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-18 20:35:11 UTC
GLSA Vote: Yes, too; request filed.
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:33:29 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).