7.171. pam

Updated pam packages that fix two security issues and several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs to handle authentication.

Security Fixes

A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' ~/.pam_environment files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges.
A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application's PAM configuration contained user_readenv=1 (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop.
Red Hat would like to thank Kees Cook of the Google ChromeOS Team for reporting the CVE-2011-3148 and CVE-2011-3149 issues.

Bug Fixes

The limit on number of processes was set in the /etc/limits.d/90-nproc.conf file to 1024 processes even for the root account. Consequently, root processes confined with SELinux, such as the prelink utility started from the crond daemon, failed to start if there were more than 1024 processes running with UID 0 on the system. The limit for root processes has been set to unlimited and the confined processes are no longer blocked in the described scenario.
The require_selinux option handling in the pam_namespace module was broken. As a consequence, when SELinux was disabled, it was not possible to prevent users from logging in with the pam_namespace module. This option has been fixed and PAM works as expected now.
The pam_get_authtok_verify() function did not save the PAM_AUTHTOK_TYPE PAM item properly. Consequently, the authentication token type, as specified with the authtok_type option of the pam_cracklib module, was not respected in the Retype new password message. The pam_get_authtok_verify() function has been fixed to properly save the PAM_AUTHTOK_TYPE item and PAM now works correctly in this case.
When the remember option was used, the pam_unix module was matching usernames incorrectly while searching for the old password entries in the /etc/security/opasswd file. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the old passwords entries of another user. With this update, the algorithm that is used to match usernames has been fixed. Now only the exact same usernames are matched and the old password entries are no longer mixed in the described scenario.
Prior to this update, using the pam_pwhistory module caused an error to occur when the root user was changing user's password. It was not possible to choose any password that was in user's password history as the new password. With this update, the root user can change the password regardless of whether it is in the user's history or not.


Certain authentication policies require enforcement of password complexity restrictions even for root accounts. Thus, the pam_cracklib module now supports the enforce_for_root option, which enforces the complexity restrictions on new passwords even for the root account.
The GECOS field is used to store additional information about the user, such as the user's full name or a phone number, which could be used by an attacker for an attempt to crack the password. The pam_cracklib module now also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password.
Certain authentication policies do not allow passwords which contain long continuous sequences such as abcd or 98765. This update introduces the possibility to limit the maximum length of these sequences by using the new maxsequence option.
Certain authentication policies require support for locking of an account that is not used for a certain period of time. This enhancement introduces an additional function to the pam_lastlog module, which allows users to lock accounts after a configurable number of days.
On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them from occupying all of the system memory. This update allows to specify the maximum size and some other options of the tmpfs file system mount when using the tmpfs polyinstantiation method.
All pam users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.