Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Sep 2010 14:57:23 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: Minor security flaw with pam_xauth

----- "Solar Designer" <solar@...nwall.com> wrote:

> On Mon, Aug 16, 2010 at 12:05:13PM +0100, Tim Brown wrote:
> > Here's another bug where privileged code isn't checking the return
> value from 
> > setuid():
> > 
> >
> http://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663
> 
> This is fixed in Linux-PAM 1.1.2:
> 
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
> 

Let's use CVE-2010-3316 for the above flaw.


> The same commit also introduces previously-missing privilege switching
> into pam_env and pam_mail.  Unfortunately, this pam_env and pam_mail fix
> is incomplete: it only switches the fsuid (should also switch fsgid (or
> egid) and groups), and it fails to check the return value from setfsuid()
> (doing so would require duplicate calls to setfsuid(), like we do in
> libtcb, or switching of euid instead - yet it is desirable).
> 

This one is a bit on the tricky side. I'm going to call it "improper
setfsuid use" so we can use just one CVE instead of two (as the flaws are
related):

Use CVE-2010-3430

Steve, feel free to overrule me if MITRE doesn't like this.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ