Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pam-krb5 | Eyrie | * | 3.12 (including) |
| Pam-krb5 | Eyrie | 3.0 (including) | 3.0 (including) |
| Pam-krb5 | Eyrie | 3.1 (including) | 3.1 (including) |
| Pam-krb5 | Eyrie | 3.2 (including) | 3.2 (including) |
| Pam-krb5 | Eyrie | 3.3 (including) | 3.3 (including) |
| Pam-krb5 | Eyrie | 3.4 (including) | 3.4 (including) |
| Pam-krb5 | Eyrie | 3.5 (including) | 3.5 (including) |
| Pam-krb5 | Eyrie | 3.6 (including) | 3.6 (including) |
| Pam-krb5 | Eyrie | 3.7 (including) | 3.7 (including) |
| Pam-krb5 | Eyrie | 3.8 (including) | 3.8 (including) |
| Pam-krb5 | Eyrie | 3.9 (including) | 3.9 (including) |
| Pam-krb5 | Eyrie | 3.10 (including) | 3.10 (including) |
| Pam-krb5 | Eyrie | 3.11 (including) | 3.11 (including) |
| Libpam-heimdal | Ubuntu | dapper | * |
| Libpam-heimdal | Ubuntu | gutsy | * |
| Libpam-heimdal | Ubuntu | hardy | * |
| Libpam-heimdal | Ubuntu | intrepid | * |
| Libpam-heimdal | Ubuntu | upstream | * |
| Libpam-krb5 | Ubuntu | dapper | * |
| Libpam-krb5 | Ubuntu | devel | * |
| Libpam-krb5 | Ubuntu | gutsy | * |
| Libpam-krb5 | Ubuntu | hardy | * |
| Libpam-krb5 | Ubuntu | intrepid | * |
| Libpam-krb5 | Ubuntu | jaunty | * |
| Libpam-krb5 | Ubuntu | karmic | * |
| Libpam-krb5 | Ubuntu | lucid | * |
| Libpam-krb5 | Ubuntu | maverick | * |
| Libpam-krb5 | Ubuntu | natty | * |
| Libpam-krb5 | Ubuntu | oneiric | * |
| Libpam-krb5 | Ubuntu | upstream | * |