Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Sep 2010 11:44:03 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: Minor security flaw with pam_xauth

* [2010-09-27 11:36:13 -0600] Vincent Danen wrote:

>* [2010-09-24 20:48:23 +0400] Solar Designer wrote:
>
>>On Tue, Sep 21, 2010 at 04:02:47PM -0400, Josh Bressers wrote:
>>>Since you have the best understanding of these, can you break them down
>>>with reasonable explanations and I'll assign IDs to whatever still needs
>>>them?
>>
>>pam_xauth missing return value checks from setuid() and similar calls,
>>fixed in Linux-PAM 1.1.2 - CVE-2010-3316
>>
>>pam_env and pam_mail accessing the target user's files as root (and thus
>>susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
>>fixed in 1.1.2 - no CVE ID mentioned yet
>>
>>pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
>>and groups when accessing the target user's files (and thus potentially
>>susceptible to attacks by the user) - CVE-2010-3430
>>
>>pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
>>setfsuid() calls succeed (no known impact with current Linux kernels,
>>but poor practice in general) - CVE-2010-3431
>>
>>Now, in case someone fixes CVE-2010-3430 but fails to add return value
>>checks for the added calls, we'll need yet another CVE ID for the
>>partial fix... but I hope this won't happen.
>
>These that are partially fixed are fixed in that git commit you noted
>previously?
>
>http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
>
>Or are they fixed in different commits?  It looks like they should all
>be fixed in that commit, but I want to double-check.
>
>Are there patches available to fully fix these issues?  And are there
>patches for 3430 and 3431 yet?  I'm assuming also that those issues have
>always existed although you say 'in 1.1.2', but they would affect
>earlier versions yet, right?

Oh, hang on.  Re-read some older messages again trying to grok this and
it looks like these checks were introduced in 1.1.2, so they would _not_
affect earlier versions if I'm understanding correctly.

So only 3316 and the second issue without a CVE name affect pre-1.1.2.

So what about previous versions that _don't_ have privilege switching in
pam_env and pam_mail?  Would that require yet another CVE or would the
addition of privilege switching be considered an enhancement, not a
security fix?

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.