Re: Minor security flaw with pam_xauth

[Solar Designer <solar () openwall com>]

Dmitry has produced a patch against Linux-PAM 1.1.2 with the fixes
mentioned in the quoted message below.

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/pam/

This is Linux-PAM-1.1.2-up-20101011.diff (same as the changes made
upstream) and Linux-PAM-1.1.2-owl-Makefile.diff.

We already have this in Owl, documented as follows:

2010/10/18      Package: pam
SECURITY FIX    Severity: none to medium, local, active
Updated to 1.1.2+ snapshot 20101011.  This code revision introduces the
proper privilege switching into pam_env, pam_mail, and pam_xauth.  None
of these modules are in use on default installs of Owl, and they never
were, hence there was no impact for default installs.
References:
http://www.openwall.com/lists/oss-security/2010/08/16/2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3316
http://www.openwall.com/lists/oss-security/2010/09/21/3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3431

I am posting this in case others want to have the issues fixed before
the 1.1.3 release comes out.

Alexander

On Mon, Oct 04, 2010 at 02:00:03AM +0400, Dmitry V. Levin wrote:
> The patch that fixes CVE-2010-3430 and CVE-2010-3431 was just made public:
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=pam_modutil_priv
>
> Besides that, another two issues have been fixed in pam_xauth after
> Linux-PAM 1.1.2 release:
>
> In pam_sm_close_session(), the attempt to unlink cookie file was made
> without dropping privileges at all if target uid could not be determined:
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-3-g05dafc0
>
> In check_acl(), there were no check that the acl file provided by target
> user is a regular file:
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-2-gffe7058
>
>
> -- 
> ldv