Re: Minor security flaw with pam_xauth

[Solar Designer <solar () openwall com>]

On Tue, Sep 21, 2010 at 04:02:47PM -0400, Josh Bressers wrote:
> Since you have the best understanding of these, can you break them down
> with reasonable explanations and I'll assign IDs to whatever still needs
> them?

pam_xauth missing return value checks from setuid() and similar calls,
fixed in Linux-PAM 1.1.2 - CVE-2010-3316

pam_env and pam_mail accessing the target user's files as root (and thus
susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
fixed in 1.1.2 - no CVE ID mentioned yet

pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
and groups when accessing the target user's files (and thus potentially
susceptible to attacks by the user) - CVE-2010-3430

pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
setfsuid() calls succeed (no known impact with current Linux kernels,
but poor practice in general) - CVE-2010-3431

Now, in case someone fixes CVE-2010-3430 but fails to add return value
checks for the added calls, we'll need yet another CVE ID for the
partial fix... but I hope this won't happen.

Alexander