Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Mar 2014 16:05:50 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: pam_timestamp internals

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I came across some implications of pam_timestamp ... it aims to mimic
> sudo timestamp tickets

> there seems to be a path traversal issue

Use CVE-2014-2583. As usual, there are not separate CVE IDs for the
different impacts.

> One should probably take care to not accidently include pam_timestamp in a config file
> for a remote service, as chance is high that the RUSER/TTY is used incorrectly, even
> when the user string is checked via getpwnam(). It should probably be documented in
> pam_timestamp's manpage.

There is no CVE ID for the issue in which the documentation might
not be sufficient to prevent all problematic uses of pam_timestamp in
conjunction with remote services. The documentation at
http://www.linux-pam.org/Linux-PAM-html/sag-pam_timestamp.html and
elsewhere specifically mentions "This is similar mechanism which is
used in sudo" and "FILES /var/run/sudo/..." in fairly prominent ways.
The documentation is not directly misleading, i.e., there doesn't seem
to be any implication that a remote service is a recommended use case.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTMy96AAoJEKllVAevmvms7JkH/0GC/rQ0JAYaYMEX88iZM4Fk
eUU33cqGX2UZkHwZ0HCMoyi521ptE31rllfBNqcuhdOc/X06pY/zq16Cbfc9yPGr
PYGzMou5KjoKscEov4ma3J/FVgrDMGHKp6uU/RGsEllr3qrEOx92sOKP4dw5nteC
6b8B7b8KQXBRGWdAg0ydFU1KSFdQxpNU7ii9FUMYHswohubgGyYbkbWMltyICHWd
CRYNiZtIyou2hX80otdXi2p/ezVZuovtfgQbwjtYhehUDn46MV09lhWRVJZmDH+L
IaEwd2wjGNyV07NcBIt+NLghRNCW7U2oct1wdxg4R6wbVW0NBYJAgynVqTAEDLo=
=dQxv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.