CVE-2010-3853

Name	CVE-2010-3853
Description	pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	608273

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pam (PTS)	jessie	1.1.8-3.1+deb8u2	fixed
	stretch	1.1.8-3.6	fixed
	buster	1.3.1-5	fixed
	bullseye	1.4.0-9+deb11u1	fixed
	bookworm	1.5.2-6+deb12u1	fixed
	sid, trixie	1.5.3-7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
pam	source	(unstable)	1.1.3-1	low		608273

[squeeze] - pam <no-dsa> (Minor issue)
[lenny] - pam <no-dsa> (Minor issue)