Source: pam Severity: normal Tags: security Hi, citing from ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/comments/0):
> pam_motd calls the scripts in /etc/update-motd.d/ as root without > sanitising the environment. While that is acceptable when called for > instance by sshd or by getty through login where the environment should be > controlled, it becomes an issue if for instance "session optional > pam_motd.so" is added to /etc/pam.d/su > > With that done, a user can simply update his $PATH to look first in a > directory that contains malicious replacements for commands called by the > /etc/update-motd.d/ scripts (for instance "uname" called by 00_header). > > pam_motd should perform the same kind of sanitisation as pam_exec, or even > better not do the run-part /etc/update-motd.d/ at all but add some pam_exec > calls to the pam configuration. > > That issue is made worth by the fact that the running of those scripts by > pam_motd is not documented. Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3628 for some (well...) information. cu AW -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (50, 'unstable'), (40, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.14 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
