Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Oct 2010 07:50:06 +0400
From: Solar Designer <>
Subject: Re: Minor security flaw with pam_xauth

Dmitry has produced a patch against Linux-PAM 1.1.2 with the fixes
mentioned in the quoted message below.

This is Linux-PAM-1.1.2-up-20101011.diff (same as the changes made
upstream) and Linux-PAM-1.1.2-owl-Makefile.diff.

We already have this in Owl, documented as follows:

2010/10/18	Package: pam
SECURITY FIX	Severity: none to medium, local, active
Updated to 1.1.2+ snapshot 20101011.  This code revision introduces the
proper privilege switching into pam_env, pam_mail, and pam_xauth.  None
of these modules are in use on default installs of Owl, and they never
were, hence there was no impact for default installs.

I am posting this in case others want to have the issues fixed before
the 1.1.3 release comes out.


On Mon, Oct 04, 2010 at 02:00:03AM +0400, Dmitry V. Levin wrote:
> The patch that fixes CVE-2010-3430 and CVE-2010-3431 was just made public:
> Besides that, another two issues have been fixed in pam_xauth after
> Linux-PAM 1.1.2 release:
> In pam_sm_close_session(), the attempt to unlink cookie file was made
> without dropping privileges at all if target uid could not be determined:
> In check_acl(), there were no check that the acl file provided by target
> user is a regular file:
> -- 
> ldv

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ