CVE-2014-2583

Name of the Vulnerable Software and Affected Versions Linux-PAM version 1.1.8

Description The issue concerns multiple directory traversal vulnerabilities in the pam timestamp module. These vulnerabilities allow local users to create arbitrary files or possibly bypass authentication. This can be achieved by including a .. (dot dot) in the PAM RUSER value to the get ruser function or the PAM TTY value to the check tty function, which is used by the format timestamp name function.

Recommendations For Linux-PAM version 1.1.8, consider restricting the use of the pam timestamp module until a patch is available. As a temporary workaround, restrict access to the get ruser and check tty functions to minimize the risk of exploitation. Avoid using the PAM RUSER and PAM TTY values in sensitive operations until the issue is resolved.