[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Minor security flaw with pam_xauth
From: Solar Designer <solar () openwall ! com>
Date: 2010-09-27 20:29:16
Message-ID: 20100927202916.GA4576 () openwall ! com
[Download RAW message or body]
On Mon, Sep 27, 2010 at 11:44:03AM -0600, Vincent Danen wrote:
> >* [2010-09-24 20:48:23 +0400] Solar Designer wrote:
> >>pam_xauth missing return value checks from setuid() and similar calls,
> >>fixed in Linux-PAM 1.1.2 - CVE-2010-3316
> >>
> >>pam_env and pam_mail accessing the target user's files as root (and thus
> >>susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
> >>fixed in 1.1.2 - no CVE ID mentioned yet
> >>
> >>pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
> >>and groups when accessing the target user's files (and thus potentially
> >>susceptible to attacks by the user) - CVE-2010-3430
> >>
> >>pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
> >>setfsuid() calls succeed (no known impact with current Linux kernels,
> >>but poor practice in general) - CVE-2010-3431
...
> Oh, hang on. Re-read some older messages again trying to grok this and
> it looks like these checks were introduced in 1.1.2, so they would _not_
> affect earlier versions if I'm understanding correctly.
Older versions were "fully vulnerable". 1.1.2 is "partially vulnerable".
> So only 3316 and the second issue without a CVE name affect pre-1.1.2.
Yes, in a sense.
> So what about previous versions that _don't_ have privilege switching in
> pam_env and pam_mail? Would that require yet another CVE or would the
> addition of privilege switching be considered an enhancement, not a
> security fix?
I think it should be considered a security fix. Moreover, of these four
issues (if we keep the separation above), the currently-CVE-less is the
most serious one.
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic