From the Secunia advisory at $URL:
Two vulnerabilities have been reported in Linux-PAM, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges.
1) A boundary error within the "_assemble_line()" function (modules/pam_env/pam_env.c) of the "pam_env" module can be exploited to cause a stack-based buffer overflow via e.g. a specially crafted "~/.pam_environment" file.
2) The "_expand_arg()" function (modules/pam_env/pam_env.c) of the "pam_env" module does not properly abort when encountering certain conditions during the expansion of environment variables, which can be exploited to e.g. cause a high CPU consumption via specially crafted environment variables.
The vulnerabilities are reported in version 1.1.4. Other versions may also be affected.
Fixed in the GIT repository.
Further details available in Customer Area
Provided and/or discovered by
1.1.5 in tree.
Arches, please test and mark stable:
target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 done. Thanks Agostino and Tomas
Stable for HPPA.
Builds fine on x86. Was able to login again. Seems ok to me. Please mark stable for x86.
ppc64 stable, last arch done
Thanks everyone. Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201206-31 at http://security.gentoo.org/glsa/glsa-201206-31.xml
by GLSA coordinator Stefan Behte (craig).
The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c)
in Linux-PAM (aka pam) before 1.1.5 does not properly handle when
environment variable expansion can overflow, which allows local users to
cause a denial of service (CPU consumption).
Stack-based buffer overflow in the _assemble_line function in
modules/pam_env/pam_env.c in Linux-PAM (aka pam) before 1.1.5 allows local
users to cause a denial of service (crash) and possibly execute arbitrary
code via a long string of white spaces at the beginning of the