oss-sec mailing list archives
Re: Minor security flaw with pam_xauth
From: Solar Designer <solar () openwall com>
Date: Tue, 28 Sep 2010 00:29:16 +0400
On Mon, Sep 27, 2010 at 11:44:03AM -0600, Vincent Danen wrote:
* [2010-09-24 20:48:23 +0400] Solar Designer wrote:pam_xauth missing return value checks from setuid() and similar calls, fixed in Linux-PAM 1.1.2 - CVE-2010-3316 pam_env and pam_mail accessing the target user's files as root (and thus susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially fixed in 1.1.2 - no CVE ID mentioned yet pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid) and groups when accessing the target user's files (and thus potentially susceptible to attacks by the user) - CVE-2010-3430 pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the setfsuid() calls succeed (no known impact with current Linux kernels, but poor practice in general) - CVE-2010-3431
...
Oh, hang on. Re-read some older messages again trying to grok this and it looks like these checks were introduced in 1.1.2, so they would _not_ affect earlier versions if I'm understanding correctly.
Older versions were "fully vulnerable". 1.1.2 is "partially vulnerable".
So only 3316 and the second issue without a CVE name affect pre-1.1.2.
Yes, in a sense.
So what about previous versions that _don't_ have privilege switching in pam_env and pam_mail? Would that require yet another CVE or would the addition of privilege switching be considered an enhancement, not a security fix?
I think it should be considered a security fix. Moreover, of these four issues (if we keep the separation above), the currently-CVE-less is the most serious one. Alexander
Current thread:
- Re: Minor security flaw with pam_xauth, (continued)
- Re: Minor security flaw with pam_xauth Steven M. Christey (Aug 16)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Steven M. Christey (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 24)
- Re: Minor security flaw with pam_xauth Vincent Danen (Sep 27)
- Re: Minor security flaw with pam_xauth Vincent Danen (Sep 27)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 27)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 27)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 27)