Bug 976408 (CVE-2013-2207) - CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions changes when granting access to the slave pseudoterminal
Summary: CVE-2013-2207 glibc (pt_chown): Improper pseudotty ownership and permissions ...
Status: CLOSED NOTABUG
Alias: CVE-2013-2207
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130716,repor...
Keywords: Security
Depends On: 984828 984829
Blocks: 976507
TreeView+ depends on / blocked
 
Reported: 2013-06-20 13:59 UTC by Jan Lieskovsky
Modified: 2019-06-08 19:37 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-07-22 06:24:36 UTC


Attachments (Terms of Use)
remove pt_chown take 2 (7.62 KB, patch)
2013-06-25 09:50 UTC, Siddhesh Poyarekar
no flags Details | Diff
Updated pt_chown patch (7.38 KB, patch)
2013-07-12 22:40 UTC, Siddhesh Poyarekar
no flags Details | Diff
Another minor update to pt_chown patch (6.91 KB, patch)
2013-07-15 23:14 UTC, Siddhesh Poyarekar
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 15755 None None None Never

Description Jan Lieskovsky 2013-06-20 13:59:06 UTC
A security flaw was found in the way pt_chown, a helper function for grantpt(3) to change ownership and permissions of pseudoterminal, of glibc, the collection of GNU libc libraries, performed pseudotty ownership and permission changes when granting access to the slave pseudoterminal. A local attacker could use this flaw to obtain unauthorized read / write access at the pseudoterminal of their choose by using a specially-crafted (by attacker supplied) file system.

Acknowledgements:

Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.

Comment 6 Huzaifa S. Sidhpurwala 2013-06-21 07:25:59 UTC
This issue has been assigned CVE-2013-2207

Comment 14 Siddhesh Poyarekar 2013-06-25 09:50:10 UTC
Created attachment 765000 [details]
remove pt_chown take 2

Here's a more complete fix to remove pt_chown.  I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it.  It's not something we need to support in RHEL, but I figured we would need it upstream.

Comment 20 Huzaifa S. Sidhpurwala 2013-06-27 06:33:35 UTC
Statement:

Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 25 Siddhesh Poyarekar 2013-07-12 22:40:57 UTC
Created attachment 772916 [details]
Updated pt_chown patch

Comment 28 Siddhesh Poyarekar 2013-07-15 23:14:13 UTC
Created attachment 773957 [details]
Another minor update to pt_chown patch

Comment 32 Huzaifa S. Sidhpurwala 2013-07-16 07:01:05 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 984829]

Comment 35 Carlos O'Donell 2013-07-19 05:57:13 UTC
Patch is now posted upstream:
http://sourceware.org/ml/libc-alpha/2013-07/msg00359.html

Comment 36 Carlos O'Donell 2013-07-21 19:41:39 UTC
Fixed upstream.

commit e4608715e6e1dd2adc91982fd151d5ba4f761d69
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Fri Jul 19 02:42:03 2013 -0400

    CVE-2013-2207, BZ #15755: Disable pt_chown.
    
    The helper binary pt_chown tricked into granting access to another
    user's pseudo-terminal.
    
    Pre-conditions for the attack:
    
     * Attacker with local user account
     * Kernel with FUSE support
     * "user_allow_other" in /etc/fuse.conf
     * Victim with allocated slave in /dev/pts
    
    Using the setuid installed pt_chown and a weak check on whether a file
    descriptor is a tty, an attacker could fake a pty check using FUSE and
    trick pt_chown to grant ownership of a pty descriptor that the current
    user does not own.  It cannot access /dev/pts/ptmx however.
    
    In most modern distributions pt_chown is not needed because devpts
    is enabled by default. The fix for this CVE is to disable building
    and using pt_chown by default. We still provide a configure option
    to enable hte use of pt_chown but distributions do so at their own
    risk.

Comment 39 Fedora Update System 2013-08-22 00:49:47 UTC
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 40 Fedora Update System 2013-09-05 01:34:23 UTC
glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.