Quoting first paragraph from [1]: https://bugzilla.redhat.com/show_bug.cgi?id=173008 for issue description: ====================== When starting a program via "su - user -c program" the user session can escape to the parent session by using the TIOCSTI ioctl to push characters into the input buffer. This allows for example a non-root session to push "chmod 666 /etc/shadow" or similarly bad commands into the input buffer such that after the end of the session they are executed. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=173008 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
This issue affects the version of the coreutils package, as shipped with Red Hat Enterprise Linux 4. -- This issue did NOT affect the versions of the coreutils package, as shipped with Red Hat Enterprise Linux 5 and 6, as those versions already contain patch from bug #173008. This issue did NOT affect the versions of the coreutils package, as shipped with Fedora release of 13, 14 and 15, as those versions already contain patch from bug #173008.
CVE request: [3] http://www.openwall.com/lists/oss-security/2011/06/02/3
Previous bugs related to this issue, and the possible problems of such fix: bug #173008, bug #199066, bug #280231, bug #479145 It should also be noted that the fix adding setsid() calls only protects 'su -c' use case, but not the case when root only does 'su - user' and type in commands there interactively.
This has been assigned CVE-2005-4890 as per: http://seclists.org/oss-sec/2011/q4/522
Statement: This issue affects the version of coreutils package, as shipped with Red Hat Enterprise Linux 4. Red Hat Enterprise Linux 4 is however in the Extended Life Cycle Support (ELS) phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.