CVE-2009-0361

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2009-0361

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2009-0361.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2009-0361

Downstream

DEBIAN-CVE-2009-0361

DSA-1721-1

DSA-1722-1

Published

2009-02-13T17:30:00Z

Modified

2025-08-09T19:01:27Z

Summary

[none]

Details

Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pamsetcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pamsetcred operations.

References

http://secunia.com/advisories/33914
http://secunia.com/advisories/33917
http://secunia.com/advisories/33918
http://secunia.com/advisories/34260
http://secunia.com/advisories/34449
http://security.gentoo.org/glsa/glsa-200903-39.xml
http://www.debian.org/security/2009/dsa-1721
http://www.debian.org/security/2009/dsa-1722
http://www.ubuntu.com/usn/USN-719-1
http://www.vupen.com/english/advisories/2009/0410
http://www.vupen.com/english/advisories/2009/0426
http://www.vupen.com/english/advisories/2009/0979
http://securitytracker.com/id?1021711
http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1
http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
http://www.securityfocus.com/archive/1/500892/100/0/threaded
http://www.securityfocus.com/bid/33741
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5403
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5521

CVE-2009-0361

Affected packages