|
Message-Id: <201403262005.s2QK5oG2001105@linus.mitre.org> Date: Wed, 26 Mar 2014 16:05:50 -0400 (EDT) From: cve-assign@...re.org To: krahmer@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: pam_timestamp internals -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I came across some implications of pam_timestamp ... it aims to mimic > sudo timestamp tickets > there seems to be a path traversal issue Use CVE-2014-2583. As usual, there are not separate CVE IDs for the different impacts. > One should probably take care to not accidently include pam_timestamp in a config file > for a remote service, as chance is high that the RUSER/TTY is used incorrectly, even > when the user string is checked via getpwnam(). It should probably be documented in > pam_timestamp's manpage. There is no CVE ID for the issue in which the documentation might not be sufficient to prevent all problematic uses of pam_timestamp in conjunction with remote services. The documentation at http://www.linux-pam.org/Linux-PAM-html/sag-pam_timestamp.html and elsewhere specifically mentions "This is similar mechanism which is used in sudo" and "FILES /var/run/sudo/..." in fairly prominent ways. The documentation is not directly misleading, i.e., there doesn't seem to be any implication that a remote service is a recommended use case. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTMy96AAoJEKllVAevmvms7JkH/0GC/rQ0JAYaYMEX88iZM4Fk eUU33cqGX2UZkHwZ0HCMoyi521ptE31rllfBNqcuhdOc/X06pY/zq16Cbfc9yPGr PYGzMou5KjoKscEov4ma3J/FVgrDMGHKp6uU/RGsEllr3qrEOx92sOKP4dw5nteC 6b8B7b8KQXBRGWdAg0ydFU1KSFdQxpNU7ii9FUMYHswohubgGyYbkbWMltyICHWd CRYNiZtIyou2hX80otdXi2p/ezVZuovtfgQbwjtYhehUDn46MV09lhWRVJZmDH+L IaEwd2wjGNyV07NcBIt+NLghRNCW7U2oct1wdxg4R6wbVW0NBYJAgynVqTAEDLo= =dQxv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.