search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: da2d62d) | patch
CVE-2013-2207, BZ #15755: Disable pt_chown.
commite4608715e6e1dd2adc91982fd151d5ba4f761d69
authorCarlos O'Donell <carlos@redhat.com>
Fri, 19 Jul 2013 06:42:03 +0000 (19 02:42 -0400)
committerCarlos O'Donell <carlos@redhat.com>
Sun, 21 Jul 2013 19:39:55 +0000 (21 15:39 -0400)
tree04bc13d3736e14045f0f9fc37e0303a067f943cftree | snapshot (tar.gz zip)
parentda2d62df77de66e5de5755228759f8bc18481871commit | diff
CVE-2013-2207, BZ #15755: Disable pt_chown.

The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.

Pre-conditions for the attack:

 * Attacker with local user account
 * Kernel with FUSE support
 * "user_allow_other" in /etc/fuse.conf
 * Victim with allocated slave in /dev/pts

Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own.  It cannot access /dev/pts/ptmx however.

In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
ChangeLog diff | blob | blame | history
INSTALL diff | blob | blame | history
NEWS diff | blob | blame | history
config.h.in diff | blob | blame | history
config.make.in diff | blob | blame | history
configure diff | blob | blame | history
configure.in diff | blob | blame | history
login/Makefile diff | blob | blame | history
manual/install.texi diff | blob | blame | history
sysdeps/unix/grantpt.c diff | blob | blame | history
sysdeps/unix/sysv/linux/grantpt.c diff | blob | blame | history
sources.redhat.com git mirror of glibc CVS