[Pam-developers] [linux-pam] #27: pam_timestamp path traversal issue

#27: pam_timestamp path traversal issue -----------------------+------------------------------ Reporter: tmraz | Owner: pam-developers@… Type: security | Status: new Priority: major | Component: modules Version: | Keywords: Blocked By: | Blocking: -----------------------+------------------------------ pam_timestamp uses PAM_RUSER and PAM_TTY directly without any checks. If the user can mainpulate PAM_RUSER and PAM_TTY contents (which is mostly not possible, but there might be scenarios where it is) he would be able to get access to a service without proper checking. See http://seclists.org/oss-sec/2014/q1/645 for the original report by Sebastian Krahmer. I suppose sufficient mitigation would be to look for ".." in both PAM_RUSER and PAM_TTY and reject authentication attempt if they contain this string. I would also document that the module should never be used with services where the authenticating user can manipulate the PAM_RUSER variable contents. -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/27> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project