Bug 54169 (CVE-2004-0233)

<!-- SBZ_reproduce  -->
-

utmp entries aren't supposed to be 0 terminated. 
 
	String fields are terminated  by '\0' if they are shorter 
	than the size of the field. 
 
The exit thing is a bug, and it can probably be exploited to write to 
files owned by group tty (e.g. by using wall or write). Or you could 
do a "talk root", and if root talks back he ends up opening your fake 
tty, and everything he types into his window will go to that file instead 
of your tty. So in order to exploit this hole all you need to do is get 
root to type "<return>toor::0:0:please hack me:/:<return>". I'm sure 
every root user will happily oblige. 
 
I think it's a minor problem. I'm fixing it in stable; if you want 
packages for older products as well, let me know 

The bug alone is a minor issue but has the potential to become more dangerous 
in conjunction with other minor bugs. 
To be honest I don not have an example but you know this feeling burning in 
the belly... 
Therefore it would be better to fix older version too. 
 
I'll attach the patchinfo files and create the routing slip ASAP. 
 

CAN-2004-0233

Created attachment 18443 [details]
patchinfo-box.utempter

Created attachment 18444 [details]
patchinfo.utempter

submitted fixed packages to 8.0, 8.1, 8.2, 9.0, 9.1, stable 

Whats new here? Is there laufzettel etc.? Thomas, can you take care
about it?

I'll... 
 
Date: Tue, 20 Apr 2004 11:50:04 +0200 (CEST) 
From: Thomas Biege <thomas@suse.de> 
To: pama-laufzettel@suse.de 
Subject: [pama-laufzettel] [patch][NR 0641] utempter 
 
Subject: [patch][NR 0641] utempter 
[...] 

Hi Olaf, 
I am missing the packages in the autobuild queue 
and just saw an old utempter package in /work/src/done/DISCARDED. 
That old one is: 
Mon Mar  1 10:41:16 CET 2004 - okir@suse.de 
 
- use stat64 to prevent stat calls from choking on minor 
  numbers >= 256 (#35184) 
 
No indications about problems with your package on suse-dist either... 
am I blind? 
 
 

this discarded chekin was a wrong solution to a problem we 
saw on powerpc. this has been fixed otherwise. 
 
Olafs utempter fix has been checked in already: 
/work/SRC/old-versions/9.1/SLES/all/utempter/*es 
------------------------------------------------------------------- 
Tue Apr 20 11:48:09 CEST 2004 - okir@suse.de 
 
- Fix incorrect check for /../ in path names (#39169) 
 
 

Ok, but I miss the older versions... 

or x in /work/SRC/REPOSITORY/utempter /work/SRC/all/BASE/utempter /work/SRC/old-versions/8.0/all/utempter /work/SRC/old-versions/8.1/UL/all/utempter /work/SRC/old-versions/8.2/all/utempter /work/SRC/old-versions/9.0/all/utempter /work/SRC/old-versions/9.1/SLES/all/utempter; do echo $x; head -4 $x/utempter.changes|grep '^- '; done
/work/SRC/REPOSITORY/utempter
head: /work/SRC/REPOSITORY/utempter/utempter.changes: No such file or directory
/work/SRC/all/BASE/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/8.0/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/8.1/UL/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/8.2/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/9.0/all/utempter
- Fix incorrect check for /../ in path names (#39169)
/work/SRC/old-versions/9.1/SLES/all/utempter
- Fix incorrect check for /../ in path names (#39169)

Olaf, 
I did not see puonftp messages on security-intern@. Was the security flag 
missing for the patchinfos? 

I didn't submit putonftp/patchinfo files. I submitted the fixed packages before
you attached them to the report.

:((( 
Hmmm... can Rudi put them on FTP when he gets the patchinfo files... Olaf, do 
you know? 

Sorry, I forgot. But I think it's possible to submit putonftp files
afterwards.

a patchinfo file always collects the current version in autobuild. So of 
course, just submit a patchinfo and it will be correct. 

sumbitted patchinfo files and sent a message to suse-dist... 

packages approved 

CVE-2004-0233: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)