Upstream-Status: Backport Fix for CVE-2010-4708 Change default for user_readenv to 0 and document the new default for user_readenv. This fix is got from: http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env /pam_env.c?r1=1.22&r2=1.23&view=patch http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env /pam_env.8.xml?r1=1.7&r2=1.8&view=patch Signed-off-by: Wenzong Fan --- --- a/modules/pam_env/pam_env.c 2012-09-05 13:57:47.000000000 +0800 +++ b/modules/pam_env/pam_env.c 2012-09-05 13:58:05.000000000 +0800 @@ -10,7 +10,7 @@ #define DEFAULT_READ_ENVFILE 1 #define DEFAULT_USER_ENVFILE ".pam_environment" -#define DEFAULT_USER_READ_ENVFILE 1 +#define DEFAULT_USER_READ_ENVFILE 0 #include "config.h" --- a/modules/pam_env/pam_env.8.xml 2012-09-05 13:58:24.000000000 +0800 +++ b/modules/pam_env/pam_env.8.xml 2012-09-05 13:59:36.000000000 +0800 @@ -147,7 +147,10 @@ Turns on or off the reading of the user specific environment - file. 0 is off, 1 is on. By default this option is on. + file. 0 is off, 1 is on. By default this option is off as user + supplied environment variables in the PAM environment could affect + behavior of subsequent modules in the stack without the consent + of the system administrator.