发布日期：2009-02-11
更新日期：2009-02-12

受影响系统：

Russ Allbery pam-krb5 < 3.13

不受影响系统：

Russ Allbery pam-krb5 3.13

描述：

---

BUGTRAQ  ID: 33741
CVE(CAN) ID: CVE-2009-0361

pam-krb5提供了支持认证、授权、用户票据缓存处理等功能的Kerberos v5 PAM模块。

在刷新已有的用户凭据时pam-krb5会使用PAM_REINITIALIZE_CREDS或PAM_REFRESH_CREDS调用pam_setcred，因此会使用已有的KRB5CCNAME环境变量确定已有的Kerberos凭据缓存。如果setuid应用程序没有首先调用PAM_ESTABLISH_CREDS或丢弃权限便调用了这些API的话，pam-krb5就可能覆盖KRB5CCNAME指定给攻击者的文件并更改该文件的权限。

<*来源：Russ Allbery （rra@debian.org）
  
  链接：http://marc.info/?l=kerberos&m=123438312818697&w=2
        http://secunia.com/advisories/33914/
        http://www.debian.org/security/2009/dsa-1722
        http://www.debian.org/security/2009/dsa-1721
*>

建议：

---

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1721-1）以及相应补丁:
DSA-1721-1：New libpam-krb5 packages fix local privilege
链接：http://www.debian.org/security/2009/dsa-1721

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1.dsc
Size/MD5 checksum:      670 e24d2e134c78f26f571ae691a4dd3209
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6.orig.tar.gz
Size/MD5 checksum:   119752 5742d0fb75ac148b7748387bc295f472
http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1.diff.gz
Size/MD5 checksum:    11016 93ab13d570cbb2938e703fef2f06581e

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_alpha.deb
Size/MD5 checksum:    58440 a526c51fb9e6c4193b8591000ff7b632

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_amd64.deb
Size/MD5 checksum:    57502 d8607f991e0da76e191bc2c468c7ed59

arm architecture (ARM)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_arm.deb
Size/MD5 checksum:    55372 e90de3bd06a9fc12d61866e718896c2e

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_hppa.deb
Size/MD5 checksum:    58952 0774be83acdc3e36ddf9c55bbfc9ee16

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_i386.deb
Size/MD5 checksum:    56726 9d3eb6c5e1954393cde41f73b3824190

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_ia64.deb
Size/MD5 checksum:    62910 874687c0aba8ecbce11bd126ff5c2585

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mips.deb
Size/MD5 checksum:    56894 0f10eccba6afdc540c23a39728df0bc9

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_mipsel.deb
Size/MD5 checksum:    56886 55d1faffac772a008d46674442f480f9

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_powerpc.deb
Size/MD5 checksum:    58572 66ecfa0eb67c381dc8b2a63a1d7dec44

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_s390.deb
Size/MD5 checksum:    57928 73b6597abb7682378667210bd980a8b2

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/libp/libpam-krb5/libpam-krb5_2.6-1etch1_sparc.deb
Size/MD5 checksum:    56390 7896f97c1d3b2daa5e94a195a12a11a6

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

Russ Allbery
------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.eyrie.org/~eagle/software/pam-krb5/

浏览次数：2454
严重程度：0（网友投票）