Re: Minor security flaw with pam_xauth

[Josh Bressers <bressers () redhat com>]

----- "Solar Designer" <solar () openwall com> wrote:

> On Mon, Aug 16, 2010 at 12:05:13PM +0100, Tim Brown wrote:
> > Here's another bug where privileged code isn't checking the return
> value from 
> > setuid():
> http://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663
>
> This is fixed in Linux-PAM 1.1.2:
>
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6

Let's use CVE-2010-3316 for the above flaw.


> The same commit also introduces previously-missing privilege switching
> into pam_env and pam_mail.  Unfortunately, this pam_env and pam_mail fix
> is incomplete: it only switches the fsuid (should also switch fsgid (or
> egid) and groups), and it fails to check the return value from setfsuid()
> (doing so would require duplicate calls to setfsuid(), like we do in
> libtcb, or switching of euid instead - yet it is desirable).

This one is a bit on the tricky side. I'm going to call it "improper
setfsuid use" so we can use just one CVE instead of two (as the flaws are
related):

Use CVE-2010-3430

Steve, feel free to overrule me if MITRE doesn't like this.

Thanks.

-- 
    JB