Date: Mon, 27 Sep 2010 11:44:03 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: Minor security flaw with pam_xauth * [2010-09-27 11:36:13 -0600] Vincent Danen wrote: >* [2010-09-24 20:48:23 +0400] Solar Designer wrote: > >>On Tue, Sep 21, 2010 at 04:02:47PM -0400, Josh Bressers wrote: >>>Since you have the best understanding of these, can you break them down >>>with reasonable explanations and I'll assign IDs to whatever still needs >>>them? >> >>pam_xauth missing return value checks from setuid() and similar calls, >>fixed in Linux-PAM 1.1.2 - CVE-2010-3316 >> >>pam_env and pam_mail accessing the target user's files as root (and thus >>susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially >>fixed in 1.1.2 - no CVE ID mentioned yet >> >>pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid) >>and groups when accessing the target user's files (and thus potentially >>susceptible to attacks by the user) - CVE-2010-3430 >> >>pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the >>setfsuid() calls succeed (no known impact with current Linux kernels, >>but poor practice in general) - CVE-2010-3431 >> >>Now, in case someone fixes CVE-2010-3430 but fails to add return value >>checks for the added calls, we'll need yet another CVE ID for the >>partial fix... but I hope this won't happen. > >These that are partially fixed are fixed in that git commit you noted >previously? > >http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6 > >Or are they fixed in different commits? It looks like they should all >be fixed in that commit, but I want to double-check. > >Are there patches available to fully fix these issues? And are there >patches for 3430 and 3431 yet? I'm assuming also that those issues have >always existed although you say 'in 1.1.2', but they would affect >earlier versions yet, right? Oh, hang on. Re-read some older messages again trying to grok this and it looks like these checks were introduced in 1.1.2, so they would _not_ affect earlier versions if I'm understanding correctly. So only 3316 and the second issue without a CVE name affect pre-1.1.2. So what about previous versions that _don't_ have privilege switching in pam_env and pam_mail? Would that require yet another CVE or would the addition of privilege switching be considered an enhancement, not a security fix? -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ