Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Sep 2010 23:49:03 +0400
From: Solar Designer <>
Subject: Re: Minor security flaw with pam_xauth

On Tue, Sep 21, 2010 at 03:22:07PM -0400, Josh Bressers wrote:
> > > The same commit also introduces previously-missing privilege switching
> > > into pam_env and pam_mail.  Unfortunately, this pam_env and pam_mail
> > > fix is incomplete: it only switches the fsuid (should also switch fsgid
> > > (or egid) and groups), and it fails to check the return value from
> > > setfsuid() (doing so would require duplicate calls to setfsuid(), like
> > > we do in libtcb, or switching of euid instead - yet it is desirable).
> Let's use CVE-2010-3430 for the missing setfsgid.

...and the missing setgroups().

> Use CVE-2010-3431 for the missing return checks on setfsuid.

OK.  BTW, I think this is not exploitable on current kernels, at least
not via RLIMIT_NPROC (it does not apply to fsuid), yet it is desirable
to check the return value from such syscalls.

What about the completely missing privilege switching in pre-1.1.2 (the
bug found by Sebastian)?  I don't recall if it already had a CVE id
assigned or not.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.