CVE-2009-0361

Name of the Vulnerable Software and Affected Versions libpam-krb5 versions prior to 3.13 pam-krb5 versions prior to 3.13

Description The issue concerns multiple vulnerabilities in the libpam-krb5 package, which can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. Specifically, the vulnerability allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable and then launching a setuid application that performs certain pam setcred operations.

Recommendations For libpam-krb5 versions prior to 3.13, update to version 3.13 or later to resolve the issue. For pam-krb5 versions prior to 3.13, update to version 3.13 or later to resolve the issue. As a temporary workaround, consider restricting the use of the pam setcred operation in setuid applications to minimize the risk of exploitation.