A security flaw was found in the way pt_chown, a helper function for grantpt(3) to change ownership and permissions of pseudoterminal, of glibc, the collection of GNU libc libraries, performed pseudotty ownership and permission changes when granting access to the slave pseudoterminal. A local attacker could use this flaw to obtain unauthorized read / write access at the pseudoterminal of their choose by using a specially-crafted (by attacker supplied) file system. Acknowledgements: Red Hat would like to thank Martin Carpenter of Citco for reporting this issue.
This issue has been assigned CVE-2013-2207
Created attachment 765000 [details] remove pt_chown take 2 Here's a more complete fix to remove pt_chown. I've added a configure option to --enable-pt_chown (which defaults to disabled) when someone wants to build a kernel without devpts and wants a glibc that works with it. It's not something we need to support in RHEL, but I figured we would need it upstream.
Statement: Not Vulnerable. This issue does not affect the version of glibc as shipped with Red Hat Enterprise Linux 5 and 6.
Created attachment 772916 [details] Updated pt_chown patch
Created attachment 773957 [details] Another minor update to pt_chown patch
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 984829]
Patch is now posted upstream: http://sourceware.org/ml/libc-alpha/2013-07/msg00359.html
Fixed upstream. commit e4608715e6e1dd2adc91982fd151d5ba4f761d69 Author: Carlos O'Donell <carlos> Date: Fri Jul 19 02:42:03 2013 -0400 CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk.
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
glibc-2.16-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.