Local File Read Vulnerability in Linux-PAM's pam_xauth Module
CVE-2010-3316

Currently unrated

Key Information:

Vendor: Linux-pam
Status: Linux-pam
Vendor: CVE Published:; 24 January 2011

What is CVE-2010-3316?

The run_coprocess function in the pam_xauth module of Linux-PAM prior to version 1.1.2 contains a flaw that does not properly validate the return values from critical system calls such as setuid, setgid, and setgroups. This oversight may enable local users to execute programs that bypass the pam_xauth check, leading to unauthorized access to arbitrary files on the system.

References

http://openwall.com/lists/oss-security/2010/09/27/5

mailing-listx_refsource_MLIST

http://openwall.com/lists/oss-security/2010/09/21/3

mailing-listx_refsource_MLIST

http://security.gentoo.org/glsa/glsa-201206-31.xml

vendor-advisoryx_refsource_GENTOO

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2011
Vulnerability Reserved
Sep 13, 2010

Linux-pam

What is CVE-2010-3316?

References

Timeline