oss-sec mailing list archives

Re: Minor security flaw with pam_xauth

From: Vincent Danen <vdanen () redhat com>
Date: Mon, 27 Sep 2010 11:36:13 -0600

* [2010-09-24 20:48:23 +0400] Solar Designer wrote:

On Tue, Sep 21, 2010 at 04:02:47PM -0400, Josh Bressers wrote:

Since you have the best understanding of these, can you break them down
with reasonable explanations and I'll assign IDs to whatever still needs
them?


pam_xauth missing return value checks from setuid() and similar calls,
fixed in Linux-PAM 1.1.2 - CVE-2010-3316

pam_env and pam_mail accessing the target user's files as root (and thus
susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
fixed in 1.1.2 - no CVE ID mentioned yet

pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
and groups when accessing the target user's files (and thus potentially
susceptible to attacks by the user) - CVE-2010-3430

pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
setfsuid() calls succeed (no known impact with current Linux kernels,
but poor practice in general) - CVE-2010-3431

Now, in case someone fixes CVE-2010-3430 but fails to add return value
checks for the added calls, we'll need yet another CVE ID for the
partial fix... but I hope this won't happen.


These that are partially fixed are fixed in that git commit you noted
previously?

http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6

Or are they fixed in different commits?  It looks like they should all
be fixed in that commit, but I want to double-check.

Are there patches available to fully fix these issues?  And are there
patches for 3430 and 3431 yet?  I'm assuming also that those issues have
always existed although you say 'in 1.1.2', but they would affect
earlier versions yet, right?

Thanks for any clarification.  I'm trying to wrap my head around this
and the impact of these issues.  They all strike me as relatively minor
issues, but it is possible that I am missing or misunderstanding
something here.

--

Vincent Danen / Red Hat Security Response Team

Current thread:

Minor security flaw with pam_xauth Tim Brown (Aug 16)
- Re: Minor security flaw with pam_xauth Steven M. Christey (Aug 16)
- Re: Minor security flaw with pam_xauth Solar Designer (Sep 21)
  - Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
    - Re: Minor security flaw with pam_xauth Steven M. Christey (Sep 21)
    - Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
    - Re: Minor security flaw with pam_xauth Solar Designer (Sep 21)
    - Re: Minor security flaw with pam_xauth Josh Bressers (Sep 21)
    - Re: Minor security flaw with pam_xauth Solar Designer (Sep 24)
    - Re: Minor security flaw with pam_xauth Vincent Danen (Sep 27)
    - Re: Minor security flaw with pam_xauth Vincent Danen (Sep 27)
    - Re: Minor security flaw with pam_xauth Solar Designer (Sep 27)
    - Re: Minor security flaw with pam_xauth Solar Designer (Sep 27)
    - Re: Minor security flaw with pam_xauth Josh Bressers (Sep 27)