Bugzilla – Bug 132745
VUL-0: CVE-2005-3257: kernel: local privilege escalation by KDSKBSENT
Last modified: 2021-12-08 15:16:53 UTC
found in Mitre DB ... don't know if it affects us, or if we want/need to fix it. CVE-2005-3257 The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12 allows local users to use the KDSKBSENT ioctl on terminals of other users and gain privileges, as demonstrated by modifying key bindings using loadkeys. CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334113 BID:15122 URL:http://www.securityfocus.com/bid/15122
Vojtech, can you please take a look at this one? Thanks!
This issue is known for many years already, and has been usually worked around by having 'loadkeys -d' in the profile and using SAK before login. It is only applicable to shared desktop systems, which can't be considered safe anyway, and as such is a low-threat vulnerability. It does affect every Linux box out there with physical access to the console, so it affects us as well. This patch: --- devel/drivers/char/vt_ioctl.c~setkeys-needs-root 2005-10-17 23:50:37.000000000 -0700 +++ devel-akpm/drivers/char/vt_ioctl.c 2005-10-17 23:51:43.000000000 -0700 @@ -192,6 +192,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry int i, j, k; int ret; + if (!capable(CAP_SYS_TTY_CONFIG)) + return -EPERM; + kbs = kmalloc(sizeof(*kbs), GFP_KERNEL); if (!kbs) { ret = -ENOMEM; is a reasonable fix, however it prevents users from changing the keymap, unless 'loadkeys' is run from a suid wrapper that allows a limited selection of maps. This fix has been included in -mm.
then we will not fix this for the old products and wait what upstream does ... thanks for the research, vojtech!
CVE-2005-3257: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)