Re: Disputing CVE-2011-4122

[Kurt Seifried <kseifried () redhat com>]

On 12/07/2011 07:26 AM, Jeff Mitchell wrote:
> Hello,
>
> I've been asked by the kcheckpass maintainer to lodge a dispute of
> CVE-2011-4122.
>
> As explained in the blog entry linked from the CVE[1], the problem is
> that neither kcheckpass nor OpenPAM validate the 'service_name' input
> argument of pam_start(). This hole can be used to make PAM load
> arbitrary shared libraries, which can be used to execute arbitrary code
> as root, as kcheckpass is setuid root.
>
> One could assume that kcheckpass should do the validation. However, the
> PAM documentation makes no mention of what a service name is supposed to
> look like, and consequently it must be treated as opaque by the
> application code. Therefore all validation must be expected to be done
> by the library, and failure to do so must be seen as a bug in the
> library exclusively.

Can you provide a link to the documentation?
> As a result, it is correct to list kcheckpass as an affected
> application, but not as the origin of the vulnerability. The linked
> advisories from ISS and Secunia are clearer about that.
>
> Thanks,
> Jeff
>
> [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122
This is a good point/question. Steve?

-- 

-Kurt Seifried / Red Hat Security Response Team