Bug 710208 (CVE-2005-4890) - CVE-2005-4890 coreutils: tty hijacking possible in "su" via TIOCSTI ioctl
Summary: CVE-2005-4890 coreutils: tty hijacking possible in "su" via TIOCSTI ioctl
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2005-4890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 173008
Blocks: 712417
TreeView+ depends on / blocked
 
Reported: 2011-06-02 17:13 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-16 10:46:32 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-06-02 17:13:23 UTC
Quoting first paragraph from [1]:
https://bugzilla.redhat.com/show_bug.cgi?id=173008

for issue description:
======================
When starting a program via "su - user -c program" the user session can escape 
to the parent session by using the TIOCSTI ioctl to push characters into the 
input buffer.  This allows for example a non-root session to push 
"chmod 666 /etc/shadow" or similarly bad commands into the input buffer such 
that after the end of the session they are executed. 

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=173008
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843

Comment 1 Jan Lieskovsky 2011-06-02 17:17:23 UTC
This issue affects the version of the coreutils package, as shipped with
Red Hat Enterprise Linux 4.

--

This issue did NOT affect the versions of the coreutils package, as shipped
with Red Hat Enterprise Linux 5 and 6, as those versions already contain
patch from bug #173008.

This issue did NOT affect the versions of the coreutils package, as shipped
with Fedora release of 13, 14 and 15, as those versions already contain
patch from bug #173008.

Comment 2 Jan Lieskovsky 2011-06-02 17:24:28 UTC
CVE request:
[3] http://www.openwall.com/lists/oss-security/2011/06/02/3

Comment 3 Tomas Hoger 2011-06-07 08:05:41 UTC
Previous bugs related to this issue, and the possible problems of such fix:

bug #173008, bug #199066, bug #280231, bug #479145

It should also be noted that the fix adding setsid() calls only protects 'su -c' use case, but not the case when root only does 'su - user' and type in commands there interactively.

Comment 4 Huzaifa S. Sidhpurwala 2011-12-20 04:18:26 UTC
This has been assigned CVE-2005-4890 as per:
http://seclists.org/oss-sec/2011/q4/522

Comment 5 Huzaifa S. Sidhpurwala 2012-04-16 10:46:32 UTC
Statement:

This issue affects the version of coreutils package, as shipped with Red Hat Enterprise Linux 4. Red Hat Enterprise Linux 4 is however in the Extended Life Cycle Support (ELS) phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.