Re: Minor security flaw with pam_xauth

["Dmitry V. Levin" <ldv () altlinux org>]

Hi,

On Fri, Oct 01, 2010 at 04:02:04PM -0600, Vincent Danen wrote:
> * [2010-09-28 00:17:29 +0400] Solar Designer wrote:
> > On Mon, Sep 27, 2010 at 11:36:13AM -0600, Vincent Danen wrote:
> > > * [2010-09-24 20:48:23 +0400] Solar Designer wrote:
> > > > pam_env and pam_mail accessing the target user's files as root (and thus
> > > > susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
> > > > fixed in 1.1.2 - no CVE ID mentioned yet
> > > >
> > > > pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
> > > > and groups when accessing the target user's files (and thus potentially
> > > > susceptible to attacks by the user) - CVE-2010-3430
> > > >
> > > > pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
> > > > setfsuid() calls succeed (no known impact with current Linux kernels,
> > > > but poor practice in general) - CVE-2010-3431
[...]
> > > Are there patches available to fully fix these issues?  And are there
> > > patches for 3430 and 3431 yet?
> >
> > This is the same question asked different ways.  We have a patch that
> > we're reviewing internally.  To be made available soon.
>
> Great, looking forward to seeing them.

The patch that fixes CVE-2010-3430 and CVE-2010-3431 was just made public:
http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=pam_modutil_priv

Besides that, another two issues have been fixed in pam_xauth after
Linux-PAM 1.1.2 release:

In pam_sm_close_session(), the attempt to unlink cookie file was made
without dropping privileges at all if target uid could not be determined:
http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-3-g05dafc0

In check_acl(), there were no check that the acl file provided by target
user is a regular file:
http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=Linux-PAM-1_1_2-2-gffe7058


-- 
ldv

Attachment: _bin
Description: