Re: pam_timestamp internals

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I came across some implications of pam_timestamp ... it aims to mimic
> sudo timestamp tickets

> there seems to be a path traversal issue

Use CVE-2014-2583. As usual, there are not separate CVE IDs for the
different impacts.

> One should probably take care to not accidently include pam_timestamp in a config file
> for a remote service, as chance is high that the RUSER/TTY is used incorrectly, even
> when the user string is checked via getpwnam(). It should probably be documented in
> pam_timestamp's manpage.

There is no CVE ID for the issue in which the documentation might
not be sufficient to prevent all problematic uses of pam_timestamp in
conjunction with remote services. The documentation at
http://www.linux-pam.org/Linux-PAM-html/sag-pam_timestamp.html and
elsewhere specifically mentions "This is similar mechanism which is
used in sudo" and "FILES /var/run/sudo/..." in fairly prominent ways.
The documentation is not directly misleading, i.e., there doesn't seem
to be any implication that a remote service is a recommended use case.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTMy96AAoJEKllVAevmvms7JkH/0GC/rQ0JAYaYMEX88iZM4Fk
eUU33cqGX2UZkHwZ0HCMoyi521ptE31rllfBNqcuhdOc/X06pY/zq16Cbfc9yPGr
PYGzMou5KjoKscEov4ma3J/FVgrDMGHKp6uU/RGsEllr3qrEOx92sOKP4dw5nteC
6b8B7b8KQXBRGWdAg0ydFU1KSFdQxpNU7ii9FUMYHswohubgGyYbkbWMltyICHWd
CRYNiZtIyou2hX80otdXi2p/ezVZuovtfgQbwjtYhehUDn46MV09lhWRVJZmDH+L
IaEwd2wjGNyV07NcBIt+NLghRNCW7U2oct1wdxg4R6wbVW0NBYJAgynVqTAEDLo=
=dQxv
-----END PGP SIGNATURE-----