oss-sec mailing list archives
Re: Minor security flaw with pam_xauth
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 21 Sep 2010 15:15:44 -0400 (EDT)
On Tue, 21 Sep 2010, Josh Bressers wrote:
The same commit also introduces previously-missing privilege switching into pam_env and pam_mail. Unfortunately, this pam_env and pam_mail fix is incomplete: it only switches the fsuid (should also switch fsgid (or egid) and groups), and it fails to check the return value from setfsuid() (doing so would require duplicate calls to setfsuid(), like we do in libtcb, or switching of euid instead - yet it is desirable).This one is a bit on the tricky side. I'm going to call it "improper setfsuid use" so we can use just one CVE instead of two (as the flaws are related): Use CVE-2010-3430
Things get tricky once you get to such low levels of detail, and this is the area where there's a little bit of wiggle room. At one level, you could call it "improper switching of privileges." Or you could split at the level of the individual bugs.
One way that helps to clarify such things is: "if I fix X, will Y be rendered neutral?" In this case, if you don't switch fsgid/egid and groups, you still have an unchecked return value that could cause problems if setfsuid() fails. The converse also appears true - even if you check the result to setfsuid, you still run with the wrong group IDs. (Note that this "independent bug fix" is actually the opposite of when you merge things of the same bug type, and this kind of approach will get more and more complicated as the more-obvious bugs get eliminated from the affected code).
In this case, I would argue for two CVEs. - Steve
Current thread:
- Minor security flaw with pam_xauth Tim Brown (Aug 16)
- Re: Minor security flaw with pam_xauth Steven M. Christey (Aug 16)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Steven M. Christey (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 24)
- Re: Minor security flaw with pam_xauth Vincent Danen (Sep 27)
- Re: Minor security flaw with pam_xauth Vincent Danen (Sep 27)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 27)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 27)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
- Re: Minor security flaw with pam_xauth Josh Bressers (Sep 27)