oss-sec mailing list archives
Re: Minor security flaw with pam_xauth
From: "Dmitry V. Levin" <ldv () altlinux org>
Date: Mon, 4 Oct 2010 02:00:03 +0400
Hi, On Fri, Oct 01, 2010 at 04:02:04PM -0600, Vincent Danen wrote:
* [2010-09-28 00:17:29 +0400] Solar Designer wrote:On Mon, Sep 27, 2010 at 11:36:13AM -0600, Vincent Danen wrote:* [2010-09-24 20:48:23 +0400] Solar Designer wrote:pam_env and pam_mail accessing the target user's files as root (and thus susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially fixed in 1.1.2 - no CVE ID mentioned yet pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid) and groups when accessing the target user's files (and thus potentially susceptible to attacks by the user) - CVE-2010-3430 pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the setfsuid() calls succeed (no known impact with current Linux kernels, but poor practice in general) - CVE-2010-3431
[...]
Are there patches available to fully fix these issues? And are there patches for 3430 and 3431 yet?This is the same question asked different ways. We have a patch that we're reviewing internally. To be made available soon.Great, looking forward to seeing them.
The patch that fixes CVE-2010-3430 and CVE-2010-3431 was just made public: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=pam_modutil_priv Besides that, another two issues have been fixed in pam_xauth after Linux-PAM 1.1.2 release: In pam_sm_close_session(), the attempt to unlink cookie file was made without dropping privileges at all if target uid could not be determined: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-3-g05dafc0 In check_acl(), there were no check that the acl file provided by target user is a regular file: http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-2-gffe7058 -- ldv
Attachment:
_bin
Description:
Current thread:
- Re: Minor security flaw with pam_xauth Vincent Danen (Oct 01)
- Re: Minor security flaw with pam_xauth Dmitry V. Levin (Oct 03)
- Re: Minor security flaw with pam_xauth Solar Designer (Oct 24)
- Re: Minor security flaw with pam_xauth Dmitry V. Levin (Oct 03)