MandrivaUsers.org > Security Advisory (MDKSA-2003:017-1): pam

Full Version: Security Advisory (MDKSA-2003:017-1): pam

MandrivaUsers.org > Announcements > Mandriva Security Advisories

aru

Apr 29 2003, 01:02 AM

MandrakeSoft Security Advisory MDKSA-2003:017-1 : pam

April 28th, 2003
Updated pam packages fix root authorization handling in pam_xauth module

Andreas Beck discovered that the pam_xauth module would forward authorization information from the root account to unprivileged users.This can be exploited by a local attacker to gain access to the root user's X session. In order for it to be successfully exploited, the attacker would have to somehow get the root user to su to the account belonging to the attacker.

Update:

The previous fix was incorrect because certain applications, such as userdrake and net_monitor could not be executed as root, although they could be executed as users who successfully authenticated as root.

The released versions of Mandrake GNU/Linux affected are:[list] 8.2

[*] 8.2/PPC

[*] 9.0

[*] Multi Network Firewall 8.2

[*] Corporate Server 2.1 [list]
Full information about this advisory, including the updated packages, is available at:
www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:017-1

Other references:
http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2002-1160

[size=9]Posted automatically by aru (mdksec2mub v0.0.5)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.