Date: Mon, 16 Aug 2010 12:05:13 +0100 From: Tim Brown <timb@...-dimension.org.uk> To: oss-security@...ts.openwall.com Subject: Minor security flaw with pam_xauth Here's another bug where privileged code isn't checking the return value from setuid(): http://sourceforge.net/tracker/?func=detail&aid=3028213&group_id=6663&atid=106663 I don't think this needs a CVE as I haven't found a useful way to exploit it but maybe someone on here will spot something I've missed. Either way, I would have thought it should be fixed. Tim PS Is it just me or does "I fail to see how RLIMIT_NPROC should have any affect on setuid." in the comments a touch disconcerting given that it's from the PAM maintainer? -- Tim Brown <mailto:timb@...-dimension.org.uk> <http://www.nth-dimension.org.uk/> Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.