Re: Minor security flaw with pam_xauth

["Steven M. Christey" <coley () linus mitre org>]

On Tue, 21 Sep 2010, Josh Bressers wrote:

> > The same commit also introduces previously-missing privilege switching
> > into pam_env and pam_mail.  Unfortunately, this pam_env and pam_mail fix
> > is incomplete: it only switches the fsuid (should also switch fsgid (or
> > egid) and groups), and it fails to check the return value from setfsuid()
> > (doing so would require duplicate calls to setfsuid(), like we do in
> > libtcb, or switching of euid instead - yet it is desirable).
>
> This one is a bit on the tricky side. I'm going to call it "improper
> setfsuid use" so we can use just one CVE instead of two (as the flaws are
> related):
>
> Use CVE-2010-3430

Things get tricky once you get to such low levels of detail, and this is 
the area where there's a little bit of wiggle room.  At one level, you 
could call it "improper switching of privileges."  Or you could split at 
the level of the individual bugs.

One way that helps to clarify such things is: "if I fix X, will Y be 
rendered neutral?"  In this case, if you don't switch fsgid/egid and 
groups, you still have an unchecked return value that could cause problems 
if setfsuid() fails.  The converse also appears true - even if you check 
the result to setfsuid, you still run with the wrong group IDs.  (Note 
that this "independent bug fix" is actually the opposite of when you merge 
things of the same bug type, and this kind of approach will get more and 
more complicated as the more-obvious bugs get eliminated from the affected 
code).

In this case, I would argue for two CVEs.

- Steve