Bug 976408 (CVE-2013-2207)
Summary: | CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting access to the slave pseudoterminal | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED NOTABUG | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | unspecified | CC: | codonell, fweimer, jlieskov, jrusnack, mcarpenter, mfranc, pfrankli, sardella, security-response-team, spoyarek | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2013-07-22 06:24:36 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 984828, 984829 | ||||||||||
Bug Blocks: | 976507 | ||||||||||
Attachments: |
|
Description
Jan Lieskovsky
2013-06-20 13:59:06 UTC
This issue has been assigned CVE-2013-2207 Created attachment 765000 [details]
remove pt_chown take 2
Here's a more complete fix to remove pt_chown. I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it. It's not something we need to support in RHEL, but I figured we would need it upstream.
Statement: Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6. Created attachment 772916 [details]
Updated pt_chown patch
Created attachment 773957 [details]
Another minor update to pt_chown patch
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 984829] Patch is now posted upstream: http://sourceware.org/ml/libc-alpha/2013-07/msg00359.html Fixed upstream. commit e4608715e6e1dd2adc91982fd151d5ba4f761d69 Author: Carlos O'Donell <carlos> Date: Fri Jul 19 02:42:03 2013 -0400 CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |