Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 388431 (CVE-2011-3148) - <sys-libs/pam-1.1.5 multiple vulnerabilities (CVE-2011-{3148,3149})
Summary: <sys-libs/pam-1.1.5 multiple vulnerabilities (CVE-2011-{3148,3149})
Status: RESOLVED FIXED
Alias: CVE-2011-3148
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/46583/
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-25 11:01 UTC by Sean Amoss
Modified: 2012-07-23 19:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss gentoo-dev Security 2011-10-25 11:01:41 UTC
From the Secunia advisory at $URL:

Description
Two vulnerabilities have been reported in Linux-PAM, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges.

1) A boundary error within the "_assemble_line()" function (modules/pam_env/pam_env.c) of the "pam_env" module can be exploited to cause a stack-based buffer overflow via e.g. a specially crafted "~/.pam_environment" file.

2) The "_expand_arg()" function (modules/pam_env/pam_env.c) of the "pam_env" module does not properly abort when encountering certain conditions during the expansion of environment variables, which can be exploited to e.g. cause a high CPU consumption via specially crafted environment variables.

The vulnerabilities are reported in version 1.1.4. Other versions may also be affected.


Solution
Fixed in the GIT repository.
Further details available in Customer Area

Provided and/or discovered by
Kees Cook

Original Advisory
http://git.fedorahosted.org/git/?p=linux-pam.git;a=commitdiff;h=caf5e7f61c8d9288daa49b4f61962e6b1239121d
http://git.fedorahosted.org/git/?p=linux-pam.git;a=commitdiff;h=109823cb621c900c07c4b6cdc99070d354d19444

https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-10-25 19:20:50 UTC
1.1.5 in tree.
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-25 19:48:51 UTC
Thanks Diego.


Arches, please test and mark stable:
=sys-libs/pam-1.1.5
target KEYWORDS : "alpha amd64 arm hppa	ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-25 21:23:43 UTC
amd64 ok
Comment 4 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2011-10-26 15:33:04 UTC
amd64: Ok
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-10-27 19:54:42 UTC
amd64 done. Thanks Agostino and Tomas
Comment 6 Jeroen Roovers gentoo-dev 2011-10-28 15:25:12 UTC
Stable for HPPA.
Comment 7 Myckel Habets archtester 2011-10-29 15:52:57 UTC
Builds fine on x86. Was able to login again. Seems ok to me. Please mark stable for x86.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2011-10-29 16:29:29 UTC
alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2011-11-06 13:03:15 UTC
ppc done
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-11-25 17:34:01 UTC
ppc64 stable, last arch done
Comment 11 Sean Amoss gentoo-dev Security 2011-11-29 21:52:36 UTC
Thanks everyone. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-06-25 19:10:59 UTC
This issue was resolved and addressed in
 GLSA 201206-31 at http://security.gentoo.org/glsa/glsa-201206-31.xml
by GLSA coordinator Stefan Behte (craig).
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-07-23 19:29:39 UTC
CVE-2011-3149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3149):
  The _expand_arg function in the pam_env module (modules/pam_env/pam_env.c)
  in Linux-PAM (aka pam) before 1.1.5 does not properly handle when
  environment variable expansion can overflow, which allows local users to
  cause a denial of service (CPU consumption).

CVE-2011-3148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3148):
  Stack-based buffer overflow in the _assemble_line function in
  modules/pam_env/pam_env.c in Linux-PAM (aka pam) before 1.1.5 allows local
  users to cause a denial of service (crash) and possibly execute arbitrary
  code via a long string of white spaces at the beginning of the
  ~/.pam_environment file.