oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] Minor security flaw with pam_xa

Re: [oss-security] Minor security flaw with pam_xauth

From: Steven M. Christey <coley_at_nospam>
Date: Tue Sep 21 2010 - 19:15:44 GMT
To: Josh Bressers <bressers@redhat.com>

On Tue, 21 Sep 2010, Josh Bressers wrote:

>> The same commit also introduces previously-missing privilege switching
>> into pam_env and pam_mail.  Unfortunately, this pam_env and pam_mail fix
>> is incomplete: it only switches the fsuid (should also switch fsgid (or
>> egid) and groups), and it fails to check the return value from setfsuid()
>> (doing so would require duplicate calls to setfsuid(), like we do in
>> libtcb, or switching of euid instead - yet it is desirable).
> This one is a bit on the tricky side. I'm going to call it "improper
> setfsuid use" so we can use just one CVE instead of two (as the flaws are
> related):
> Use CVE-2010-3430

Things get tricky once you get to such low levels of detail, and this is
the area where there's a little bit of wiggle room. At one level, you
could call it "improper switching of privileges." Or you could split at
the level of the individual bugs.

One way that helps to clarify such things is: "if I fix X, will Y be
rendered neutral?" In this case, if you don't switch fsgid/egid and
groups, you still have an unchecked return value that could cause problems
if setfsuid() fails. The converse also appears true - even if you check
the result to setfsuid, you still run with the wrong group IDs. (Note
that this "independent bug fix" is actually the opposite of when you merge
things of the same bug type, and this kind of approach will get more and
more complicated as the more-obvious bugs get eliminated from the affected

In this case, I would argue for two CVEs.

- Steve