Bug 710208 (CVE-2005-4890)

Summary: CVE-2005-4890 coreutils: tty hijacking possible in "su" via TIOCSTI ioctl
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aquini, kdudka, maxamillion, meyering, ovasik, pasteur, prc, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-16 10:46:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 173008    
Bug Blocks: 712417    

Description Jan Lieskovsky 2011-06-02 17:13:23 UTC 
Quoting first paragraph from [1]:
https://bugzilla.redhat.com/show_bug.cgi?id=173008

for issue description:
======================
When starting a program via "su - user -c program" the user session can escape 
to the parent session by using the TIOCSTI ioctl to push characters into the 
input buffer.  This allows for example a non-root session to push 
"chmod 666 /etc/shadow" or similarly bad commands into the input buffer such 
that after the end of the session they are executed. 

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=173008
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
Comment 1 Jan Lieskovsky 2011-06-02 17:17:23 UTC 
This issue affects the version of the coreutils package, as shipped with
Red Hat Enterprise Linux 4.

--

This issue did NOT affect the versions of the coreutils package, as shipped
with Red Hat Enterprise Linux 5 and 6, as those versions already contain
patch from bug #173008.

This issue did NOT affect the versions of the coreutils package, as shipped
with Fedora release of 13, 14 and 15, as those versions already contain
patch from bug #173008.
Comment 2 Jan Lieskovsky 2011-06-02 17:24:28 UTC 
CVE request:
[3] http://www.openwall.com/lists/oss-security/2011/06/02/3
Comment 3 Tomas Hoger 2011-06-07 08:05:41 UTC 
Previous bugs related to this issue, and the possible problems of such fix:

bug #173008, bug #199066, bug #280231, bug #479145

It should also be noted that the fix adding setsid() calls only protects 'su -c' use case, but not the case when root only does 'su - user' and type in commands there interactively.
Comment 4 Huzaifa S. Sidhpurwala 2011-12-20 04:18:26 UTC 
This has been assigned CVE-2005-4890 as per:
http://seclists.org/oss-sec/2011/q4/522
Comment 5 Huzaifa S. Sidhpurwala 2012-04-16 10:46:32 UTC 
Statement:

This issue affects the version of coreutils package, as shipped with Red Hat Enterprise Linux 4. Red Hat Enterprise Linux 4 is however in the Extended Life Cycle Support (ELS) phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.