Rapid7 Vulnerability & Exploit Database

RHSA-2001:132: New util-linux packages available to fix /bin/login pam problem

Back to Search

RHSA-2001:132: New util-linux packages available to fix /bin/login pam problem

Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
04/01/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

New util-linux packages are available that fix a problem with /bin/login's PAM implementation. This could, in some non-default setups, cause users to receive credentials of other users. It is recommended that all users update to the fixed packages. 2001-10-22: Packages are now available for Red Hat Linux 7.2. Notably, these packages also fix the problem noted in RHSA-2001:095-04 (vipw incorrectly setting permissions on some files) - this bug was accidentally reintroduced in Red Hat Linux 7.2.

A problem existed in /bin/login's PAM implementation; it stored the value of a static pwent buffer across PAM calls; when used with some PAM modules in non-default configuration (such as pam_limits), it would overwrite the buffer, causing a user to get credentials of another user. Thanks go to Tarhon-Onu Victor <mituc@ac.tuiasi.ro> for bringing the problem to our attention, and to Olaf Kirch <okir@caldera.de> for providing the patch.

Solution(s)

  • redhat-upgrade-util-linux

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;