Bug 976408 (CVE-2013-2207)
| Summary: | CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting access to the slave pseudoterminal | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | codonell, fweimer, jlieskov, jrusnack, mcarpenter, mfranc, pfrankli, sardella, security-response-team, spoyarek | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2013-07-22 06:24:36 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 984828, 984829 | ||||||||||
| Bug Blocks: | 976507 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jan Lieskovsky
2013-06-20 13:59:06 UTC
This issue has been assigned CVE-2013-2207 Created attachment 765000 [details]
remove pt_chown take 2
Here's a more complete fix to remove pt_chown. I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it. It's not something we need to support in RHEL, but I figured we would need it upstream.
Statement: Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6. Created attachment 772916 [details]
Updated pt_chown patch
Created attachment 773957 [details]
Another minor update to pt_chown patch
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 984829] Patch is now posted upstream: http://sourceware.org/ml/libc-alpha/2013-07/msg00359.html Fixed upstream.
commit e4608715e6e1dd2adc91982fd151d5ba4f761d69
Author: Carlos O'Donell <carlos>
Date: Fri Jul 19 02:42:03 2013 -0400
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |