Bug#608273: marked as done (CVE-2010-3853: pam_namespace executes namespace.init with service's environment)

Debian Bug Tracking System Sat, 04 Jun 2011 13:57:44 -0700

Your message dated Sat, 04 Jun 2011 20:54:18 +0000
with message-id <e1qsxro-0007u7...@franck.debian.org>
and subject line Bug#608273: fixed in pam 1.1.3-1
has caused the Debian Bug report #608273,
regarding CVE-2010-3853: pam_namespace executes namespace.init with service's 
environment
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
608273: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608273
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pam
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tomas Mraz pointed out that pam_namespace PAM module executes external
namespace.init script with an environment settings inherited form the program
or service that has pam_namespace configured.

Please see:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3853
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_namespace/pam_namespace.c?view=log#rev1.13
https://rhn.redhat.com/errata/RHSA-2010-0819.html

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0bUJsACgkQNxpp46476arzpwCfRYu4yznLD6z970bUPNbJkeE7
0qsAn10ej9XnZ3hnXoQF5PlGXZC9TYfD
=OuIG
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: pam
Source-Version: 1.1.3-1

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_1.1.3-1_amd64.deb
  to main/p/pam/libpam-cracklib_1.1.3-1_amd64.deb
libpam-doc_1.1.3-1_all.deb
  to main/p/pam/libpam-doc_1.1.3-1_all.deb
libpam-modules_1.1.3-1_amd64.deb
  to main/p/pam/libpam-modules_1.1.3-1_amd64.deb
libpam-runtime_1.1.3-1_all.deb
  to main/p/pam/libpam-runtime_1.1.3-1_all.deb
libpam0g-dev_1.1.3-1_amd64.deb
  to main/p/pam/libpam0g-dev_1.1.3-1_amd64.deb
libpam0g_1.1.3-1_amd64.deb
  to main/p/pam/libpam0g_1.1.3-1_amd64.deb
pam_1.1.3-1.diff.gz
  to main/p/pam/pam_1.1.3-1.diff.gz
pam_1.1.3-1.dsc
  to main/p/pam/pam_1.1.3-1.dsc
pam_1.1.3.orig.tar.gz
  to main/p/pam/pam_1.1.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 608...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vor...@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 04 Jun 2011 03:10:50 -0700
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib 
libpam-doc
Architecture: source amd64 all
Version: 1.1.3-1
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vor...@debian.org>
Changed-By: Steve Langasek <vor...@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 599832 602902 608273
Changes: 
 pam (1.1.3-1) unstable; urgency=low
 .
   * New upstream release.
     - Fixes CVE-2010-3853, executing namespace.init with an insecure
       environment set by the caller.  Closes: #608273.
     - Fixes CVE-2010-3316 CVE-2010-3430 CVE-2010-3431 CVE-2010-3435.
       Closes: #599832.
   * Port hurd_no_setfsuid patch to new pam_modutil_{drop,restore}_priv
     interface; now possibly upstreamable
   * debian/patches-applied/027_pam_limits_better_init_allow_explicit_root:
     set a better default RLIMIT_MEMLOCK value for BSD kernels.  Thanks to
     Petr Salinger for the fix.  Closes: #602902.
   * bump the minimum version check in maintainer scripts for the restart
     handling.
Checksums-Sha1: 
 0ce9837dfdec246b50cb1d15d770354f50567be0 2109 pam_1.1.3-1.dsc
 897acdce243c6c6afeee7d3a4f351e3e891eff44 1768872 pam_1.1.3.orig.tar.gz
 706cd5267b217b3630e12cedbc9e94e2a95dc18e 269674 pam_1.1.3-1.diff.gz
 e956e9f8152fa55dfccc32b1c8a416a745412ade 121884 libpam0g_1.1.3-1_amd64.deb
 989cac783c8ff4c7c9030edda82a599435528b89 375442 
libpam-modules_1.1.3-1_amd64.deb
 3bbeffb390d897837132d5ce3abcaa3f5aa3f145 223050 libpam-runtime_1.1.3-1_all.deb
 ab70b8b64e356ff3d97fbcbdf836f3db499c716b 188594 libpam0g-dev_1.1.3-1_amd64.deb
 0011192c68efc661ecf13efae11b26ba9d380473 81740 
libpam-cracklib_1.1.3-1_amd64.deb
 6f60ed3f014ec13ff01c381dda6630efbda04db8 320804 libpam-doc_1.1.3-1_all.deb
Checksums-Sha256: 
 3aaeb8f093f78a36d94ab9c04ff92dddd0380be2d3a704ce3be8fa63c19d7af1 2109 
pam_1.1.3-1.dsc
 a5bff0a161aeb6c0857fd441ff984749a8b208ad50b8d1f117058a6301741a0f 1768872 
pam_1.1.3.orig.tar.gz
 218bad6ebb8b328937a6f91d1850ba39c75bc4ed24e48b01fc5210199fc9f463 269674 
pam_1.1.3-1.diff.gz
 376ceca2ef2dab913bf25c0e9c116bb2fd3b2f17fd8685153a7c444cc00a2276 121884 
libpam0g_1.1.3-1_amd64.deb
 b599ca1d0904958ae41591bbd3404a1a07f7d68ece8a118b4a0dd28396a6379d 375442 
libpam-modules_1.1.3-1_amd64.deb
 c323ed802d8aff469aab6efbd9f2190e52109ef48233dfc30b1ed8176ddad4f0 223050 
libpam-runtime_1.1.3-1_all.deb
 a7708730e62c49e4f85f53ee54c4890e8cf1544a648dd9cbfac5f043f7800ce2 188594 
libpam0g-dev_1.1.3-1_amd64.deb
 7553c3fb03efe9e9611d336c8c7a03718fc92cd3c18eab0945d14d374ba540bb 81740 
libpam-cracklib_1.1.3-1_amd64.deb
 0d68e169bf832d4dbfbbbe7b11b96c025f605da438eacfb185c9c8463d2371a3 320804 
libpam-doc_1.1.3-1_all.deb
Files: 
 4d73edee202991161f29329a2ce5a600 2109 libs optional pam_1.1.3-1.dsc
 9a977619848cfed372d9b361e328ec99 1768872 libs optional pam_1.1.3.orig.tar.gz
 a02dd1f1709f7f40741c48320fd739ba 269674 libs optional pam_1.1.3-1.diff.gz
 9cb43d674e04cb053cd852851938ecc6 121884 libs required 
libpam0g_1.1.3-1_amd64.deb
 aa9a10bfb82f140ee528b3f60b136db6 375442 admin required 
libpam-modules_1.1.3-1_amd64.deb
 1f89c650cc8c0ed8c6d1dd1d1a051302 223050 admin required 
libpam-runtime_1.1.3-1_all.deb
 ada05de3a36c5c76a343c8d2d1664f17 188594 libdevel optional 
libpam0g-dev_1.1.3-1_amd64.deb
 ed6bb94851e7faf4dd2e28c3dbd9d222 81740 admin optional 
libpam-cracklib_1.1.3-1_amd64.deb
 78e8df2d3b0d15fe38b734cb51b34c44 320804 doc optional libpam-doc_1.1.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBTeqV+laNMPMhshM9AQiRRhAAg1xEkudmk0cJCnYp33AmhR1qQ94V093k
/+1YPktAWO03d8Nf0tI/3FiWrPCaTDySEXL8BkxKiu398PRX4o8az6miBEnbLLQd
lssofCEORL2gepJFp1YCnkx4E7CgpXv7c/JC/2/99d9s/S05RCG3fyTLqA2+x13w
LzuFRESf+3jW1ISHQKHRp52RMz9+o/reanv50m6z2jZv9KddIU08Lrc8g2uvRTFy
u10F8423SeVz72gV3Ckb/rlYwlvBp0RceVzfkJ/K+y6X0LPpAz0IGkoUmbobgDCp
J2JshDVLWOwO7uAfls2W4keQi/VVw1bbmjQJdW41nvPyRos5xjUXqQ40WcO5G6hg
jI1hV+XbmXAx6b5fOQHIB7bg9sbY0hSop+87uyaHyPfvIZHQgyjtVaWb05857xmq
srCvfl6e23ImxaE48+O0amXVBa9Lc4BWSqhN26ux7rdO/bYiiqKnAfiGe3EZ4swb
7+CDBZvzmL9JOH062kgm+VxyCYqnJgA90ZklPWg+DiBAoAuy8litzTXpKGGCqhX+
6MGyGPoXm2RfAou4M1kFS+veEmJ16EiIqiMR25D5nyY93ZYgCGlu3l16CJOjRIT5
37BckA+41WTq4AsGiYJyxvDyOEYJO6qr2p8+rDvV0NthxrdEmcFczAA+b3FadyBk
mlqFpgQPVMs=
=KYgw
-----END PGP SIGNATURE-----

--- End Message ---

Bug#608273: marked as done (CVE-2010-3853: pam_namespace executes namespace.init with service's environment)

Reply via email to