Package: libpam-heimdal Version: 1.0-17 Severity: important
Pam_krb5's pam_sm_setcred function does not react to the PAM_DELETE_CRED flag. In fact, it returns with PAM_SUCCESS if the flag is PAM_REINITIALIZE_CRED and with PAM_SERVICE_ERR if the flag is anything other than PAM_ESTABLISH_CRED. An example: KDM calls pam_setcred() with the PAM_DELETE_CRED flag to delete the credentials when a user closes his session, but instead of deleting the user's ccache file in the /tmp dir, it returns PAM_SERVICE_ERR. This is a very undesirable security risk. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages libpam-heimdal depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libkrb5-17-heimdal 0.6.3-10sarge1 Libraries for Heimdal Kerberos -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]