This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal
- From: Andreas Jaeger <aj at suse dot com>
- To: Carlos O'Donell <carlos at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, David Miller <davem at davemloft dot net>, Roland McGrath <roland at hack dot frob dot com>, Andreas Schwab <schwab at suse dot de>, "Joseph S. Myers" <joseph at codesourcery dot com>, Ryan Arnold <rsa at us dot ibm dot com>, Alexandre Oliva <aoliva at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>
- Date: Fri, 19 Jul 2013 08:21:51 +0200
- Subject: Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal
- References: <51E8D4C1 dot 9000705 at redhat dot com>
On 07/19/2013 07:55 AM, Carlos O'Donell wrote:
> CVE-2013-2207: pt_chown tricked into granting access to another
> users pseudo-terminal
>
> Pre-conditions for the attack:
>
> * Attacker with local user account
> * Kernel with FUSE support
> * "user_allow_other" in /etc/fuse.conf
> * Victim with allocated slave in /dev/pts
>
> Using the setuid installed pt_chown and a weak check on whether a file
> descriptor is a tty, an attacker could fake a pty check using FUSE and
> trick pt_chown to grant ownership of a pty descriptor that the current
> user does not own. It cannot access /dev/pts/ptmx however.
>
> pt_chown is not needed in most modern distributions since devpts is
> enabled by default. So the fix is to add a configure option to
> enable building pt_chown. This means that pt_chown will not be built
> by default. Distributions will be required to avoid installing
> pt_chown in that case.
>
> There is further discussion to be had around what is or is not valid
> for a FUSE filesystem to do and how glibc can help enforce some of that
> security in tcgetattr. However first things first we need to disable
> the use of pt_chown by default.
>
> Siddhesh is out so I'm submitting this on his behalf.
>
> OK to commit?
The patch looks fine to me,
thanks
Andreas
--
Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126