Home > Security > Advisories

Advisories

Mandriva Advisories

Package name pam
Date April 28th, 2003
Advisory ID MDKSA-2003:017-1
Affected versions 8.2, 9.0, MNF8.2, CS2.1
Synopsis Updated pam packages fix root authorization handling in pam_xauth module

Problem Description

Andreas Beck discovered that the pam_xauth module would forward
authorization information from the root account to unprivileged users.
This can be exploited by a local attacker to gain access to the root
user's X session. In order for it to be successfully exploited, the
attacker would have to somehow get the root user to su to the account
belonging to the attacker.

Update:

The previous fix was incorrect because certain applications, such as
userdrake and net_monitor could not be executed as root, although they
could be executed as users who successfully authenticated as root.

Updated Packages

Mandrakelinux 8.2

 709506d5d500486efcc5d35a543fe9b3  8.2/RPMS/pam-0.75-25.2mdk.i586.rpm
9371a15d63964d3dce4181482afdbed5  8.2/RPMS/pam-devel-0.75-25.2mdk.i586.rpm
44e824293900efca4d55d659d4d5a217  8.2/RPMS/pam-doc-0.75-25.2mdk.i586.rpm
aeddf8bd57bf469e2a1ff293471c7585  8.2/SRPMS/pam-0.75-25.2mdk.src.rpm

Mandrakelinux 8.2/PPC

 525eed58c1581c301a57489164d7a698  ppc/8.2/RPMS/pam-0.75-25.2mdk.ppc.rpm
7db1aed626b2413e0f3c1b4c555de6dd  ppc/8.2/RPMS/pam-devel-0.75-25.2mdk.ppc.rpm
88ce92857b13e18100cf42091f3f0fee  ppc/8.2/RPMS/pam-doc-0.75-25.2mdk.ppc.rpm
aeddf8bd57bf469e2a1ff293471c7585  ppc/8.2/SRPMS/pam-0.75-25.2mdk.src.rpm

Mandrakelinux 9.0

 642e1ead88ac4679f9bbad1d8174a79b  9.0/RPMS/pam-0.75-25.2mdk.i586.rpm
47879bd2cd7468565296c804214e7fa4  9.0/RPMS/pam-devel-0.75-25.2mdk.i586.rpm
e421f141318950a00d5efd745726643a  9.0/RPMS/pam-doc-0.75-25.2mdk.i586.rpm
aeddf8bd57bf469e2a1ff293471c7585  9.0/SRPMS/pam-0.75-25.2mdk.src.rpm

Multi Network Firewall 8.2

 709506d5d500486efcc5d35a543fe9b3  mnf8.2/RPMS/pam-0.75-25.2mdk.i586.rpm
aeddf8bd57bf469e2a1ff293471c7585  mnf8.2/SRPMS/pam-0.75-25.2mdk.src.rpm

Corporate Server 2.1

 642e1ead88ac4679f9bbad1d8174a79b  corporate/2.1/RPMS/pam-0.75-25.2mdk.i586.rpm
47879bd2cd7468565296c804214e7fa4  corporate/2.1/RPMS/pam-devel-0.75-25.2mdk.i586.rpm
e421f141318950a00d5efd745726643a  corporate/2.1/RPMS/pam-doc-0.75-25.2mdk.i586.rpm
aeddf8bd57bf469e2a1ff293471c7585  corporate/2.1/SRPMS/pam-0.75-25.2mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1160

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm
                

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.