Date: Mon, 4 Oct 2010 02:00:03 +0400 From: "Dmitry V. Levin" <ldv@...linux.org> To: oss-security@...ts.openwall.com Subject: Re: Minor security flaw with pam_xauth Hi, On Fri, Oct 01, 2010 at 04:02:04PM -0600, Vincent Danen wrote: > * [2010-09-28 00:17:29 +0400] Solar Designer wrote: > >On Mon, Sep 27, 2010 at 11:36:13AM -0600, Vincent Danen wrote: > >>* [2010-09-24 20:48:23 +0400] Solar Designer wrote: > >>>pam_env and pam_mail accessing the target user's files as root (and thus > >>>susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially > >>>fixed in 1.1.2 - no CVE ID mentioned yet > >>> > >>>pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid) > >>>and groups when accessing the target user's files (and thus potentially > >>>susceptible to attacks by the user) - CVE-2010-3430 > >>> > >>>pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the > >>>setfsuid() calls succeed (no known impact with current Linux kernels, > >>>but poor practice in general) - CVE-2010-3431 [...] > >>Are there patches available to fully fix these issues? And are there > >>patches for 3430 and 3431 yet? > > > >This is the same question asked different ways. We have a patch that > >we're reviewing internally. To be made available soon. > > Great, looking forward to seeing them. The patch that fixes CVE-2010-3430 and CVE-2010-3431 was just made public: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=pam_modutil_priv Besides that, another two issues have been fixed in pam_xauth after Linux-PAM 1.1.2 release: In pam_sm_close_session(), the attempt to unlink cookie file was made without dropping privileges at all if target uid could not be determined: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-3-g05dafc0 In check_acl(), there were no check that the acl file provided by target user is a regular file: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-2-gffe7058 -- ldv Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ