[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl
From: Ludwig Nussel <ludwig.nussel () suse ! de>
Date: 2011-06-28 12:21:47
Message-ID: 201106281421.47262.ludwig.nussel () suse ! de
[Download RAW message or body]
Ludwig Nussel wrote:
> Josh Bressers wrote:
> >----- Original Message -----
> >> Jan Lieskovsky wrote:
> >> > Hello Josh, Steve, vendors,
> >> >
> >> > based on Debian BTS report:
> >> > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
> >> > (first CVE-2011-XXYY required for Debian case)
> >> >
> >> > looked more into original report:
> >> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=173008
> >> >
> >> > and the first paragraph of [2] suggests:
> >> > "When starting a program via "su - user -c program" the user session
> >> > can escape to the parent session by using the TIOCSTI ioctl to push
> >> > characters into the input buffer. This allows for example a non-root
> >> > session to push "chmod 666 /etc/shadow" or similarly bad commands
> >> > into
> >> > the input buffer such that after the end of the session they are
> >> > executed."
> >> >
> >> > this should get a CVE-2005-YYZZ CVE id.
> >> >
> >> > Could you allocate these?
> >>
> >> ping! :-)
> >
> >I'm not sure if this should get two IDs. It's really one issue, which isn't
> >actually fixed in su.
> >
> >The fundamental issue is that tools like su and sudo keep the tty open.
> >The patch in question closes the tty for the case of su -c, but not for
> >just running su by itself. It is incomplete.
>
> I'm not worried too much about the interactive su case really. The
> usual direction there is user->root, not the other way around I
> suppose. "su -c" might be used by (%post) scripts though as seen
> with ikiwiki.
So can we have a CVE for that issue at least?
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic