Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100927202916.GA4576@openwall.com>
Date: Tue, 28 Sep 2010 00:29:16 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Minor security flaw with pam_xauth

On Mon, Sep 27, 2010 at 11:44:03AM -0600, Vincent Danen wrote:
> >* [2010-09-24 20:48:23 +0400] Solar Designer wrote:
> >>pam_xauth missing return value checks from setuid() and similar calls,
> >>fixed in Linux-PAM 1.1.2 - CVE-2010-3316
> >>
> >>pam_env and pam_mail accessing the target user's files as root (and thus
> >>susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
> >>fixed in 1.1.2 - no CVE ID mentioned yet
> >>
> >>pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
> >>and groups when accessing the target user's files (and thus potentially
> >>susceptible to attacks by the user) - CVE-2010-3430
> >>
> >>pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
> >>setfsuid() calls succeed (no known impact with current Linux kernels,
> >>but poor practice in general) - CVE-2010-3431
...
> Oh, hang on.  Re-read some older messages again trying to grok this and
> it looks like these checks were introduced in 1.1.2, so they would _not_
> affect earlier versions if I'm understanding correctly.

Older versions were "fully vulnerable".  1.1.2 is "partially vulnerable".

> So only 3316 and the second issue without a CVE name affect pre-1.1.2.

Yes, in a sense.

> So what about previous versions that _don't_ have privilege switching in
> pam_env and pam_mail?  Would that require yet another CVE or would the
> addition of privilege switching be considered an enhancement, not a
> security fix?

I think it should be considered a security fix.  Moreover, of these four
issues (if we keep the separation above), the currently-CVE-less is the
most serious one.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.