Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4706 to the following vulnerability: The pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not properly handle a failure to determine a certain target uid, which might allow local users to delete unintended files by executing a program that relies on the pam_xauth PAM check. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4706 [2] http://openwall.com/lists/oss-security/2010/10/03/1 [3] http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=Linux-PAM-1_1_2-3-g05dafc06cd3dfeb7c4b24942e4e1ae33ff75a123
This issue affects the version of the pam package, as shipped with Red Hat Enterprise Linux 4. This issue does NOT affect the versions of the pam package, as shipped with Red Hat Enterprise Linux 5 and 6. Relevant pam package versions were already updated: 1, for Red Hat Enterprise Linux 5 via: RHSA-2010:0819 https://rhn.redhat.com/errata/RHSA-2010-0819.html 2, for Red Hat Enterprise Linux 6 via: RHSA-2010:0891 https://rhn.redhat.com/errata/RHSA-2010-0891.html -- This issue does NOT affect the versions of the pam package, as shipped with Fedora release of 13 and 14. Relevant pam package versions were already updated: 1, for Fedora-13 the version which contains the patch for this issue is: pam-1.1.1-6.fc13 2, for Fedora-14 the version which contains the patch for this issue is: pam-1.1.1-6.fc14
The CVE description here seems fairly confusing. The problem addressed in Dmitry's patch is missing privilege drop in pam_sm_session_close, if pam_modutil_getpwnam call fails. In such case, setfsuid is not called and per-session temporary X authority file (~/.xauthXXXXXX) is unlinked while running with unneeded privileges. However, relevant setfsuid call was only added recently as a bug fix for root-squash mounted NFS home directories: http://sourceforge.net/tracker/?func=detail&aid=3010705&group_id=6663&atid=106663 http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=60530da87ddd4ce280fbd5cae182dc7ac3b1a154#patch2 PAM versions in RHEL-4, as well as RHEL-5 and RHEL-6 prior to RHSA-2010:0819 and RHSA-2010:0891 respectively, do not include this change and hence temporary X authority file is always removed without dropping privileges. This does not seem to have any real security implications in a typical setup however. If the file is replaced by a symlink to some other file, unlink() only removes that symlink and not the target file. As the temporary X authority file is created right in the user's home directory, user can not replace that directory with symlink to some other directory, which could possibly allow removing .xauthXXXXXX file in the target directory. Tomas, do you see anything I am missing?
No, not really.
Ok, thanks for looking. I'm closing this bug. As noted in comment #1, current pam packages in RHEL-5 and RHEL-6 drop privileges before removing temporary X authority file. If there's an opportunity to update pam in RHEL-4 too, we'll include this fix as part of CVE-2010-3316 (bug #637898) fix as we did for RHEL-5 and RHEL-6. Statement: Red Hat does not consider this issue to be a security flaw. For additional details, refer to: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4706