Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Sep 2010 11:44:03 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: Minor security flaw with pam_xauth

* [2010-09-27 11:36:13 -0600] Vincent Danen wrote:

>* [2010-09-24 20:48:23 +0400] Solar Designer wrote:
>
>>On Tue, Sep 21, 2010 at 04:02:47PM -0400, Josh Bressers wrote:
>>>Since you have the best understanding of these, can you break them down
>>>with reasonable explanations and I'll assign IDs to whatever still needs
>>>them?
>>
>>pam_xauth missing return value checks from setuid() and similar calls,
>>fixed in Linux-PAM 1.1.2 - CVE-2010-3316
>>
>>pam_env and pam_mail accessing the target user's files as root (and thus
>>susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
>>fixed in 1.1.2 - no CVE ID mentioned yet
>>
>>pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
>>and groups when accessing the target user's files (and thus potentially
>>susceptible to attacks by the user) - CVE-2010-3430
>>
>>pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
>>setfsuid() calls succeed (no known impact with current Linux kernels,
>>but poor practice in general) - CVE-2010-3431
>>
>>Now, in case someone fixes CVE-2010-3430 but fails to add return value
>>checks for the added calls, we'll need yet another CVE ID for the
>>partial fix... but I hope this won't happen.
>
>These that are partially fixed are fixed in that git commit you noted
>previously?
>
>http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
>
>Or are they fixed in different commits?  It looks like they should all
>be fixed in that commit, but I want to double-check.
>
>Are there patches available to fully fix these issues?  And are there
>patches for 3430 and 3431 yet?  I'm assuming also that those issues have
>always existed although you say 'in 1.1.2', but they would affect
>earlier versions yet, right?

Oh, hang on.  Re-read some older messages again trying to grok this and
it looks like these checks were introduced in 1.1.2, so they would _not_
affect earlier versions if I'm understanding correctly.

So only 3316 and the second issue without a CVE name affect pre-1.1.2.

So what about previous versions that _don't_ have privilege switching in
pam_env and pam_mail?  Would that require yet another CVE or would the
addition of privilege switching be considered an enhancement, not a
security fix?

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ