CVE-2010-3435 – pam: pam_env and pam_mail accessing users' file with root privileges
https://notcve.org/view.php?id=CVE-2010-3435
The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. Los módulos pam_env (1) y (2) pam_mail de Linux-PAM en versiones anteriores a v1.1.2 utiliza privilegios de root durante el acceso de lectura a los archivos y directorios que pertenecen a cuentas de usuario arbitrarias, lo que podría permitir a usuarios locales obtener información sensible de aprovechando esta actividad en el sistema de archivos, como se demuestra por un ataque de enlace simbólico en el archivo pam_environment. en el directorio home del usuario. • http://git.altlinux.org/people/ldv/packages/?p=pam.git%3Ba=commit%3Bh=06f882f30092a39a1db867c9744b2ca8d60e4ad6 http://lists.vmware.com/pipermail/security-announce/2011/000126.html http://openwall.com/lists/oss-security/2010/09/21/3 http://openwall.com/lists/oss-security/2010/09/27/10 http://openwall.com/lists/oss-security/2010/09/27/4 http://openwall.com/lists/oss-security/2010/09/27/5 http://openwall.com/lists/oss-security/2010/09/27/7 http://openwall.com/lists •
CVE-2009-0579
https://notcve.org/view.php?id=CVE-2009-0579
Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow, which allows local users to bypass intended security policy and change their passwords sooner than specified. Linux-PAM antes de v1.0.4 no aplica la edad mínima de la contraseña (MINDAYS), tal como se especifica en /etc/shadow, lo que permite a usuarios locales eludir la política de seguridad y cambiar sus contraseñas antes de lo especificado. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514437 http://secunia.com/advisories/34728 http://secunia.com/advisories/34733 https://bugzilla.redhat.com/show_bug.cgi?id=487216 https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00398.html https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00420.html https://www.redhat.com/archives/pam-list/2009-March/msg00006.html • CWE-264: Permissions, Privileges, and Access Controls •