Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pam-krb5 | Eyrie | * | 3.12 (including) |
| Pam-krb5 | Eyrie | 3.0 (including) | 3.0 (including) |
| Pam-krb5 | Eyrie | 3.1 (including) | 3.1 (including) |
| Pam-krb5 | Eyrie | 3.2 (including) | 3.2 (including) |
| Pam-krb5 | Eyrie | 3.3 (including) | 3.3 (including) |
| Pam-krb5 | Eyrie | 3.4 (including) | 3.4 (including) |
| Pam-krb5 | Eyrie | 3.5 (including) | 3.5 (including) |
| Pam-krb5 | Eyrie | 3.6 (including) | 3.6 (including) |
| Pam-krb5 | Eyrie | 3.7 (including) | 3.7 (including) |
| Pam-krb5 | Eyrie | 3.8 (including) | 3.8 (including) |
| Pam-krb5 | Eyrie | 3.9 (including) | 3.9 (including) |
| Pam-krb5 | Eyrie | 3.10 (including) | 3.10 (including) |
| Pam-krb5 | Eyrie | 3.11 (including) | 3.11 (including) |