Bug 710208 - (CVE-2005-4890) CVE-2005-4890 coreutils: tty hijacking possible in "su" via TIOCSTI ioctl
CVE-2005-4890 coreutils: tty hijacking possible in "su" via TIOCSTI ioctl
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20040726,reported=20110602,sou...
: Security
Depends On: 173008
Blocks: 712417
  Show dependency treegraph
 
Reported: 2011-06-02 13:13 EDT by Jan Lieskovsky
Modified: 2012-04-16 06:46 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-16 06:46:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-06-02 13:13:23 EDT
Quoting first paragraph from [1]:
https://bugzilla.redhat.com/show_bug.cgi?id=173008

for issue description:
======================
When starting a program via "su - user -c program" the user session can escape 
to the parent session by using the TIOCSTI ioctl to push characters into the 
input buffer.  This allows for example a non-root session to push 
"chmod 666 /etc/shadow" or similarly bad commands into the input buffer such 
that after the end of the session they are executed. 

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=173008
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
Comment 1 Jan Lieskovsky 2011-06-02 13:17:23 EDT
This issue affects the version of the coreutils package, as shipped with
Red Hat Enterprise Linux 4.

--

This issue did NOT affect the versions of the coreutils package, as shipped
with Red Hat Enterprise Linux 5 and 6, as those versions already contain
patch from bug #173008.

This issue did NOT affect the versions of the coreutils package, as shipped
with Fedora release of 13, 14 and 15, as those versions already contain
patch from bug #173008.
Comment 2 Jan Lieskovsky 2011-06-02 13:24:28 EDT
CVE request:
[3] http://www.openwall.com/lists/oss-security/2011/06/02/3
Comment 3 Tomas Hoger 2011-06-07 04:05:41 EDT
Previous bugs related to this issue, and the possible problems of such fix:

bug #173008, bug #199066, bug #280231, bug #479145

It should also be noted that the fix adding setsid() calls only protects 'su -c' use case, but not the case when root only does 'su - user' and type in commands there interactively.
Comment 4 Huzaifa S. Sidhpurwala 2011-12-19 23:18:26 EST
This has been assigned CVE-2005-4890 as per:
http://seclists.org/oss-sec/2011/q4/522
Comment 5 Huzaifa S. Sidhpurwala 2012-04-16 06:46:32 EDT
Statement:

This issue affects the version of coreutils package, as shipped with Red Hat Enterprise Linux 4. Red Hat Enterprise Linux 4 is however in the Extended Life Cycle Support (ELS) phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.