Bugzilla – Bug 830257
VUL-0: CVE-2013-2207: glibc: pt_chown tricked into granting access to another users pseudo-terminal
Last modified: 2020-06-14 09:13:00 UTC
is public, via glibc libc-alpha list Subject: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal Date: Fri, 19 Jul 2013 01:55:13 -0400 From: Carlos O'Donell <carlos@redhat.com> To: GNU C Library <libc-alpha@sourceware.org>, David Miller <davem@davemloft.net>, Roland McGrath <roland@hack.frob.com>, Andreas Schwab <schwab@suse.de>, Andreas Jaeger <aj@suse.com>, "Joseph S. Myers" <joseph@codesourcery.com>, Ryan Arnold <rsa@us.ibm.com>, Alexandre Oliva <aoliva@redhat.com>, Siddhesh Poyarekar <siddhesh@redhat.com> CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. pt_chown is not needed in most modern distributions since devpts is enabled by default. So the fix is to add a configure option to enable building pt_chown. This means that pt_chown will not be built by default. Distributions will be required to avoid installing pt_chown in that case. There is further discussion to be had around what is or is not valid for a FUSE filesystem to do and how glibc can help enforce some of that security in tcgetattr. However first things first we need to disable the use of pt_chown by default. Siddhesh is out so I'm submitting this on his behalf. OK to commit? (... patch ... )
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (830257) was mentioned in https://build.opensuse.org/request/show/184086 Factory / glibc
openSUSE-SU-2013:1510-1: An update that solves 6 vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 779320,801246,805054,813121,813306,819383,819524,824046,830257,834594,839870 CVE References: CVE-2012-4412,CVE-2013-0242,CVE-2013-1914,CVE-2013-2207,CVE-2013-4237,CVE-2013-4332 Sources used: openSUSE 12.3 (src): glibc-2.17-4.7.1, glibc-testsuite-2.17-4.7.2, glibc-testsuite-2.17-4.7.3, glibc-utils-2.17-4.7.1
SUSE-SU-2015:1424-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 830257,851280,918187,920338,927080,928723,932059,933770,933903,935286 CVE References: CVE-2013-2207,CVE-2014-8121,CVE-2015-1781 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Desktop 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Desktop 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): glibc-2.11.3-17.87.3
SUSE-SU-2016:0470-1: An update that solves 10 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 830257,847227,863499,892065,918187,920338,927080,945779,950944,961721,962736,962737,962738,962739 CVE References: CVE-2013-2207,CVE-2013-4458,CVE-2014-8121,CVE-2014-9761,CVE-2015-1781,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): glibc-2.11.3-17.45.66.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): glibc-2.11.3-17.45.66.1
fixed