Date: Tue, 21 Sep 2010 23:49:03 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Minor security flaw with pam_xauth On Tue, Sep 21, 2010 at 03:22:07PM -0400, Josh Bressers wrote: > > > The same commit also introduces previously-missing privilege switching > > > into pam_env and pam_mail. Unfortunately, this pam_env and pam_mail > > > fix is incomplete: it only switches the fsuid (should also switch fsgid > > > (or egid) and groups), and it fails to check the return value from > > > setfsuid() (doing so would require duplicate calls to setfsuid(), like > > > we do in libtcb, or switching of euid instead - yet it is desirable). ... > Let's use CVE-2010-3430 for the missing setfsgid. ...and the missing setgroups(). > Use CVE-2010-3431 for the missing return checks on setfsuid. OK. BTW, I think this is not exploitable on current kernels, at least not via RLIMIT_NPROC (it does not apply to fsuid), yet it is desirable to check the return value from such syscalls. What about the completely missing privilege switching in pre-1.1.2 (the bug found by Sebastian)? I don't recall if it already had a CVE id assigned or not. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ