Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting access to the slave pseudoterminal|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||codonell, fweimer, jlieskov, jrusnack, mcarpenter, mfranc, pfrankli, sardella, security-response-team, spoyarek|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-07-22 02:24:36 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||984828, 984829|
Description Jan Lieskovsky 2013-06-20 09:59:06 EDT
A security flaw was found in the way pt_chown, a helper function for grantpt(3) to change ownership and permissions of pseudoterminal, of glibc, the collection of GNU libc libraries, performed pseudotty ownership and permission changes when granting access to the slave pseudoterminal. A local attacker could use this flaw to obtain unauthorized read / write access at the pseudoterminal of their choose by using a specially-crafted (by attacker supplied) file system. Acknowledgements: Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.
Comment 14 Siddhesh Poyarekar 2013-06-25 05:50:10 EDT
Created attachment 765000 [details] remove pt_chown take 2 Here's a more complete fix to remove pt_chown. I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it. It's not something we need to support in RHEL, but I figured we would need it upstream.
Comment 20 Huzaifa S. Sidhpurwala 2013-06-27 02:33:35 EDT
Statement: Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 25 Siddhesh Poyarekar 2013-07-12 18:40:57 EDT
Created attachment 772916 [details] Updated pt_chown patch
Comment 28 Siddhesh Poyarekar 2013-07-15 19:14:13 EDT
Created attachment 773957 [details] Another minor update to pt_chown patch
Comment 32 Huzaifa S. Sidhpurwala 2013-07-16 03:01:05 EDT
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 984829]
Comment 35 Carlos O'Donell 2013-07-19 01:57:13 EDT
Patch is now posted upstream: http://sourceware.org/ml/libc-alpha/2013-07/msg00359.html
Comment 36 Carlos O'Donell 2013-07-21 15:41:39 EDT
Fixed upstream. commit e4608715e6e1dd2adc91982fd151d5ba4f761d69 Author: Carlos O'Donell <firstname.lastname@example.org> Date: Fri Jul 19 02:42:03 2013 -0400 CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk.
Comment 39 Fedora Update System 2013-08-21 20:49:47 EDT
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2013-09-04 21:34:23 EDT
glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.