1188682 – (CVE-2020-36394) VUL-0: CVE-2020-36394: pam: pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux-PAM allows local attackers to set their quota on an arbitrary filesystem, in certain situations where the attacker's home directory is a FUSE

Bug 1188682 (CVE-2020-36394) - VUL-0: CVE-2020-36394: pam: pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux-PAM allows local attackers to set their quota on an arbitrary filesystem, in certain situations where the attacker's home directory is a FUSE

Summary: VUL-0: CVE-2020-36394: pam: pam_setquota.c in the pam_setquota module before ...

Status:	RESOLVED FIXED

Alias:	CVE-2020-36394

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/302787/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-36394:7.0:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-07-24 07:39 UTC by Marcus Meissner
Modified:	2024-06-07 13:28 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2021-07-24 07:39:41 UTC

CVE-2020-36394

pam_setquota.c in the pam_setquota module before 2020-05-29 for Linux-PAM allows
local attackers to set their quota on an arbitrary filesystem, in certain
situations where the attacker's home directory is a FUSE filesystem mounted
under /home.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36394
https://seclists.org/oss-sec/2020/q2/169

Comment 1 Josef Möllers 2021-07-26 09:03:41 UTC

This is a duplicate of https://bugzilla.suse.com/show_bug.cgi?id=1171721, is it not?

Comment 2 Josef Möllers 2021-07-26 09:19:37 UTC

Also, no pam package has been released yet which has pam_setquota, so this bug is moot.

Comment 3 Marcus Meissner 2021-08-03 10:35:12 UTC

if this is not afected or fixed everywhere we can close...

is factory fixed?

Comment 4 Radoslav Kolev 2022-01-17 10:00:08 UTC

It seems to me it is so. It was fixed in Factory in https://build.opensuse.org/request/show/812631 and for SLE15 and older it is not applicable, as this module doesn't even exist in the version shipped there, it was introduced later.

Comment 5 Gabriele Sonnu 2024-06-07 13:28:50 UTC

All done, closing.