pam_krb5: Privilege escalation

Security Team Contact Address

Updated March 25, 2009

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200903-39 / pam_krb5
Release Date	March 25, 2009
Latest Revision	March 25, 2009: 01
Impact	high
Exploitable	local

Package	Vulnerable versions	Unaffected versions	Architecture(s)
sys-auth/pam_krb5	< 3.12	>= 3.12	All supported architectures

Related bugreports: #257075

Synopsis

Two vulnerabilities in pam_krb5 might allow local users to elevate their privileges or overwrite arbitrary files.

2. Impact Information

Background

pam_krb5 is a a Kerberos v5 PAM module.

Description

The following vulnerabilities were discovered:

pam_krb5 does not properly initialize the Kerberos libraries for setuid use (CVE-2009-0360).
Derek Chan reported that calls to pam_setcred() are not properly handled when running setuid (CVE-2009-0361).

Impact

A local attacker could set an environment variable to point to a specially crafted Kerberos configuration file and launch a PAM-based setuid application to elevate privileges, or change ownership and overwrite arbitrary files.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All pam_krb5 users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_krb5-3.12"

4. References