Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Sep 2010 23:49:03 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Minor security flaw with pam_xauth

On Tue, Sep 21, 2010 at 03:22:07PM -0400, Josh Bressers wrote:
> > > The same commit also introduces previously-missing privilege switching
> > > into pam_env and pam_mail. šUnfortunately, this pam_env and pam_mail
> > > fix is incomplete: it only switches the fsuid (should also switch fsgid
> > > (or egid) and groups), and it fails to check the return value from
> > > setfsuid() (doing so would require duplicate calls to setfsuid(), like
> > > we do in libtcb, or switching of euid instead - yet it is desirable).
...
> Let's use CVE-2010-3430 for the missing setfsgid.

...and the missing setgroups().

> Use CVE-2010-3431 for the missing return checks on setfsuid.

OK.  BTW, I think this is not exploitable on current kernels, at least
not via RLIMIT_NPROC (it does not apply to fsuid), yet it is desirable
to check the return value from such syscalls.

What about the completely missing privilege switching in pre-1.1.2 (the
bug found by Sebastian)?  I don't recall if it already had a CVE id
assigned or not.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ