This looks fixed in raring, precise, oneiric, and lucid:
$ grep -r env.*run-parts:
./pam-1.1.3/debian/patches-applied/update-motd:+if
(!system(/usr/bin/env -i
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts
--lsbsysinit /etc/update-motd.d
Could we get an update here, please? There's a fix available for almost
one and a half years now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/610125
Title:
pam_motd runs commands as root with
** Branch linked: lp:~abone/ubuntu/quantal/pam/abone
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/610125
Title:
pam_motd runs commands as root with unsanitised environment
To manage notifications
This is CVE-2011-3628.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3628
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/610125
Title:
pam_motd runs commands as root with
Thanks Marc.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/610125
Title:
pam_motd runs commands as root with unsanitised environment
To manage notifications about this bug go to:
This still needs fixing, unfortunately. env is called without a fully
qualified path, which means a malicious PATH can still cause problems.
(Again, only in the case of having pam_motd added to non-default pam
service configs that are local setuid applications.)
** Also affects: pam (Ubuntu
Proposed patch attached.
** Patch added: 610125.patch
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/610125/+attachment/2541599/+files/610125.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Strangely, this patch was dropped from natty and oneiric. What
happened?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/610125
Title:
pam_motd runs commands as root with unsanitised environment
To
Looks like another UDD casualty:
http://bazaar.launchpad.net/~ubuntu-
branches/ubuntu/oneiric/pam/oneiric/revision/79#debian/changelog
I still see the patch in natty, so looks like it's only missing in Oneiric.
Thanks for the fix Dustin, I'll push it out as a security update once I get a
proper
On Thu, Oct 13, 2011 at 11:05:46PM -, Dustin Kirkland wrote:
Strangely, this patch was dropped from natty and oneiric. What
happened?
The patch was not committed to the Vcs-Bzr branch that's documented as
authoritative in the package's debian/control file, so the change was
dropped in the
I will be releasing pam security updates in a week or so, so I will
bundle this issue with them.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/610125
Title:
pam_motd runs commands as root with
Since this is already part of the SRU process, let's just follow that
and when it is accepted, the security team can do a no change rebuild.
Alternatively, at the time the SRU team would accept it, we can do a no
change rebuild in -security and push updates out then (to reduce archive
churn and
This really shouldn't be an SRU, but a security update. Now that the
update is in -proposed, it's public and thus the bug should be public as
well, making so.
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
13 matches
Mail list logo