1
PublicDateAtUSN: 2011-01-24
2
Candidate: CVE-2010-3316
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3316
6
http://thread.gmane.org/gmane.comp.security.oss.general/3311/focus=3534
7
https://usn.ubuntu.com/usn/usn-1140-1
9
The run_coprocess function in pam_xauth.c in the pam_xauth module in
10
Linux-PAM (aka pam) before 1.1.2 does not check the return values of the
11
setuid, setgid, and setgroups system calls, which might allow local users
12
to read arbitrary files by executing a program that relies on the pam_xauth
16
mdeslaur> patch below also includes partial fix for CVE-2010-3435, but
17
mdeslaur> introduces CVE-2010-3430 and CVE-2010-3431
18
mdeslaur> see complete patch list in CVE-2010-3435
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599832
21
http://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663
23
Discovered-by: Tim Brown
27
upstream: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6 (partial)
28
upstream_pam: released (1.1.2)
29
dapper_pam: ignored (reached end-of-life)
30
hardy_pam: released (0.99.7.1-5ubuntu6.3)
31
karmic_pam: ignored (reached end-of-life)
32
lucid_pam: released (1.1.1-2ubuntu5.2)
33
maverick_pam: released (1.1.1-4ubuntu2.2)
34
natty_pam: not-affected (1.1.2-2ubuntu6)
35
devel_pam: not-affected (1.1.2-2ubuntu6)