CVE-2010-3435

Name of the Vulnerable Software and Affected Versions Linux-PAM versions prior to 1.1.2 Red Hat Enterprise Linux pam-devel version 1.1.1 Red Hat Enterprise Linux pam-debuginfo version 1.1.1 Red Hat Enterprise Linux pam version 1.1.1

Description The issue concerns multiple vulnerabilities in the Linux-PAM package, which can be exploited locally to compromise the confidentiality, integrity, and availability of protected information. Specifically, the pam env and pam mail modules use root privileges during read access to files and directories belonging to arbitrary user accounts. This could allow local users to obtain sensitive information by leveraging filesystem activity, as demonstrated by a symlink attack on the .pam environment file in a user's home directory.

Recommendations For Linux-PAM versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue. For Red Hat Enterprise Linux pam-devel version 1.1.1, update to a version that includes the fix for this issue. For Red Hat Enterprise Linux pam-debuginfo version 1.1.1, update to a version that includes the fix for this issue. For Red Hat Enterprise Linux pam version 1.1.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the pam env and pam mail modules until a patch is available.