Red Hat Bugzilla – Bug 443995
CVE-2008-1845 mksh: privilege escalation via unflushed tty
Last modified: 2008-04-24 14:09:24 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1845 to the following vulnerability:
The Korn shell (aka mksh) before R33d on MirOS (aka MirBSD) does not flush the tty's I/O when invoking mksh in a new terminal, which allows local users to gain privileges by opening a virtual terminal and entering command sequences, which might later be executed in opportunistic circumstances by a different user who launches mksh and specifies that terminal with the -T option.
Fixed upstream version was already pushed to F7/F8:
Rawhide update mksh-33d-1.fc9 did not make it to F9 before freeze.
Robert, have you managed to reproduce this on Fedora? I must admit that I'm not
quite sure what is the purpose of -T switch, where this can be used in a
I didn't reproduce that, I didn't use the -T switch as well. I was just adviced
personally by upstream to update mksh to solve this issue, as it could be minor
security problem (eventually).
Anyway, I'm asking rel-eng to get mksh-33d-1.fc9 into Fedora 9.
mksh-33d-1.fc9 successfully tagged into f9-final by notting
Closing this bug.