A security flaw was found in the way pt_chown, a helper function for grantpt(3) to change ownership and permissions of pseudoterminal, of glibc, the collection of GNU libc libraries, performed pseudotty ownership and permission changes when granting access to the slave pseudoterminal. A local attacker could use this flaw to obtain unauthorized read / write access at the pseudoterminal of their choose by using a specially-crafted (by attacker supplied) file system.
Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.
This issue has been assigned CVE-2013-2207
Created attachment 765000 [details]
remove pt_chown take 2
Here's a more complete fix to remove pt_chown. I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it. It's not something we need to support in RHEL, but I figured we would need it upstream.
Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6.
Created attachment 772916 [details]
Updated pt_chown patch
Created attachment 773957 [details]
Another minor update to pt_chown patch
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 984829]
Patch is now posted upstream:
Author: Carlos O'Donell <firstname.lastname@example.org>
Date: Fri Jul 19 02:42:03 2013 -0400
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.