Bug 1300746 (CVE-2016-2568)

Summary: CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, cbuissar, mitr, pkis, polkit-devel, slawomir, up201407890
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that pkexec was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when pkexec exits.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-05 12:20:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1299955, 1300747, 1910646    
Bug Blocks: 1300748    

Description Adam Mariš 2016-01-21 15:42:31 UTC 
It was reported that when executing a program via "pkexec --user nonpriv program", the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.

Original bug report (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1299955
Comment 1 Adam Mariš 2016-01-21 15:42:48 UTC 
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1300747]
Comment 2 Federico Manuel Bento 2016-01-26 14:37:03 UTC 
I'd like to request a CVE for this issue, thanks.
Comment 3 Andrej Nemec 2016-02-26 07:53:05 UTC 
CVE assignment:

http://seclists.org/oss-sec/2016/q1/443
Comment 6 Cedric Buissart 2018-03-05 12:20:20 UTC 
Statement:

This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 7 Cedric Buissart 2018-03-05 12:21:29 UTC 
Latest kernel upstream discussion for a kernel side fix: https://patchwork.kernel.org/patch/9753697/