pam-krb5 3.13

This is a security release fixing privilege escalation and local file overwrite vulnerabilities in all previous versions. All users of my pam-krb5 module should upgrade as soon as possible.

Derek Chan discovered and Steven Luo reported a vulnerability that allowed overwrite and chown of arbitrary files via Solaris su. Subsequent investigation revealed another, more general problem that would allow tricking pam-krb5 into thinking that Kerberos authentication succeeded with a password under the control of the attacker. This release fixes both problems (CVE-2009-0360 and CVE-2009-0361). See the security advisory for all the details.

I feel particularly bad about the more general vulnerability since there was a BUGTRAQ discussion about the underlying cause (needing to use krb5_init_secure_context with MIT Kerberos instead of krb5_init_context) back in 2007 around sudo. I should have realized the implications at the time.

Debian, Ubuntu, and Gentoo are affected. I prepared fixed patches for Debian stable, testing, and unstable for both libpam-krb5 and libpam-heimdal, and the Debian security advisories should follow mine shortly.

This release also has some build system and installation path fixes by Peter Breitenlohner and support for another Heimdal error reporting interface, thanks to Chaskiel Grundman.

You can get the latest release from the pam-krb5 distribution page.

Posted: 2009-02-11 11:52 — Why no comments?

Last spun 2022-02-06 from thread modified 2013-01-04