ALAS-2013-160


Amazon Linux AMI Security Advisory: ALAS-2013-160
Advisory Release Date: 2014-09-15 22:33 Pacific
Severity: Medium

Issue Overview:

A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' "~/.pam_environment" files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges. (CVE-2011-3148 )

A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop. (CVE-2011-3149 )


Affected Packages:

pam


Issue Correction:
Run yum update pam to update your system.

New Packages:
i686:
    pam-debuginfo-1.1.1-13.20.amzn1.i686
    pam-1.1.1-13.20.amzn1.i686
    pam-devel-1.1.1-13.20.amzn1.i686

src:
    pam-1.1.1-13.20.amzn1.src

x86_64:
    pam-1.1.1-13.20.amzn1.x86_64
    pam-debuginfo-1.1.1-13.20.amzn1.x86_64
    pam-devel-1.1.1-13.20.amzn1.x86_64