Bug 976408 (CVE-2013-2207)

Summary: CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting access to the slave pseudoterminal
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: codonell, fweimer, jlieskov, jrusnack, mcarpenter, mfranc, pfrankli, sardella, security-response-team, spoyarek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130716,reported=20130617,source=researcher,cvss2=2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N,rhel-5/glibc=notaffected,rhel-6/glibc=notaffected,rhel-7/glibc=notaffected,fedora-all/glibc=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-22 02:24:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 984828, 984829    
Bug Blocks: 976507    
Attachments:
Description Flags
remove pt_chown take 2
none
Updated pt_chown patch
none
Another minor update to pt_chown patch none

Description Jan Lieskovsky 2013-06-20 09:59:06 EDT
A security flaw was found in the way pt_chown, a helper function for grantpt(3) to change ownership and permissions of pseudoterminal, of glibc, the collection of GNU libc libraries, performed pseudotty ownership and permission changes when granting access to the slave pseudoterminal. A local attacker could use this flaw to obtain unauthorized read / write access at the pseudoterminal of their choose by using a specially-crafted (by attacker supplied) file system.

Acknowledgements:

Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.
Comment 6 Huzaifa S. Sidhpurwala 2013-06-21 03:25:59 EDT
This issue has been assigned CVE-2013-2207
Comment 14 Siddhesh Poyarekar 2013-06-25 05:50:10 EDT
Created attachment 765000 [details]
remove pt_chown take 2

Here's a more complete fix to remove pt_chown.  I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it.  It's not something we need to support in RHEL, but I figured we would need it upstream.
Comment 20 Huzaifa S. Sidhpurwala 2013-06-27 02:33:35 EDT
Statement:

Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 25 Siddhesh Poyarekar 2013-07-12 18:40:57 EDT
Created attachment 772916 [details]
Updated pt_chown patch
Comment 28 Siddhesh Poyarekar 2013-07-15 19:14:13 EDT
Created attachment 773957 [details]
Another minor update to pt_chown patch
Comment 32 Huzaifa S. Sidhpurwala 2013-07-16 03:01:05 EDT
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 984829]
Comment 35 Carlos O'Donell 2013-07-19 01:57:13 EDT
Patch is now posted upstream:
http://sourceware.org/ml/libc-alpha/2013-07/msg00359.html
Comment 36 Carlos O'Donell 2013-07-21 15:41:39 EDT
Fixed upstream.

commit e4608715e6e1dd2adc91982fd151d5ba4f761d69
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Fri Jul 19 02:42:03 2013 -0400

    CVE-2013-2207, BZ #15755: Disable pt_chown.
    
    The helper binary pt_chown tricked into granting access to another
    user's pseudo-terminal.
    
    Pre-conditions for the attack:
    
     * Attacker with local user account
     * Kernel with FUSE support
     * "user_allow_other" in /etc/fuse.conf
     * Victim with allocated slave in /dev/pts
    
    Using the setuid installed pt_chown and a weak check on whether a file
    descriptor is a tty, an attacker could fake a pty check using FUSE and
    trick pt_chown to grant ownership of a pty descriptor that the current
    user does not own.  It cannot access /dev/pts/ptmx however.
    
    In most modern distributions pt_chown is not needed because devpts
    is enabled by default. The fix for this CVE is to disable building
    and using pt_chown by default. We still provide a configure option
    to enable hte use of pt_chown but distributions do so at their own
    risk.
Comment 39 Fedora Update System 2013-08-21 20:49:47 EDT
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2013-09-04 21:34:23 EDT
glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.