CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
5.1%
Issue Overview:
A stack-based buffer overflow flaw was found in the way the pam_env module parsed users’ “~/.pam_environment” files. If an application’s PAM configuration contained “user_readenv=1” (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges. (CVE-2011-3148)
A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application’s PAM configuration contained “user_readenv=1” (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop. (CVE-2011-3149)
Affected Packages:
pam
Issue Correction:
Run yum update pam to update your system.
New Packages:
i686:
pam-debuginfo-1.1.1-13.20.amzn1.i686
pam-1.1.1-13.20.amzn1.i686
pam-devel-1.1.1-13.20.amzn1.i686
src:
pam-1.1.1-13.20.amzn1.src
x86_64:
pam-1.1.1-13.20.amzn1.x86_64
pam-debuginfo-1.1.1-13.20.amzn1.x86_64
pam-devel-1.1.1-13.20.amzn1.x86_64
Red Hat: CVE-2011-3148, CVE-2011-3149
Mitre: CVE-2011-3148, CVE-2011-3149
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | pam-debuginfo | < 1.1.1-13.20.amzn1 | pam-debuginfo-1.1.1-13.20.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | pam | < 1.1.1-13.20.amzn1 | pam-1.1.1-13.20.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | pam-devel | < 1.1.1-13.20.amzn1 | pam-devel-1.1.1-13.20.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | pam | < 1.1.1-13.20.amzn1 | pam-1.1.1-13.20.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | pam-debuginfo | < 1.1.1-13.20.amzn1 | pam-debuginfo-1.1.1-13.20.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | pam-devel | < 1.1.1-13.20.amzn1 | pam-devel-1.1.1-13.20.amzn1.x86_64.rpm |