Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 580410 (CVE-2015-8325) - <net-misc/openssh-7.3_p1: ignore PAM environment vars when UseLogin=yes
Summary: <net-misc/openssh-7.3_p1: ignore PAM environment vars when UseLogin=yes
Alias: CVE-2015-8325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on: 590202
  Show dependency tree
Reported: 2016-04-18 10:47 UTC by Agostino Sarubbo
Modified: 2016-12-07 10:32 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-18 10:47:41 UTC
From ${URL} :

If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 cronolio 2016-04-24 16:07:57 UTC
i know it is no good place for it... but it is very slowly. we can bump automatically when need only recompile package?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:32:45 UTC
This issue was resolved and addressed in
 GLSA 201612-18 at
by GLSA coordinator Aaron Bauman (b-man).