The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
The pt_chown program is completely transparently called. It might
not be able to live with the various file descriptors the program
has open at the time of the call (e.g., under SELinux). Close all
but the needed descriptor and connect stdin, stdout, and stderr
with /dev/null. pt_chown shouldn't print anything when called to
do real work.
2001-12-18 Jakub Jelinek <jakub@redhat.com>
* sysdeps/unix/sysv/linux/sparc/sparc64/clone.S (clone): Subtract
stack bias from child stack pointer before passing it to clone syscall.
2001-12-18 Ulrich Drepper <drepper@redhat.com>
* sysdeps/posix/sysconf.c (__sysconf): Respect POSIX minimum for
_SC_TZNAME_MAX.
* sysdeps/generic/sysconf.c (__sysconf): Likewise.
Reported by Thorsten Kukuk <kukuk@suse.de>.
* sysdeps/unix/grantpt.c (grantpt): Correct typo in comment and
add some casts.
* sysdeps/unix/sysv/linux/grantpt.c: Make __unix_grantpt static.
2001-12-18 Thorsten Kukuk <kukuk@suse.de>
* sysdeps/unix/sysv/linux/grantpt.c: Make errno results standard
conforming: return EBADF if file descriptor is invalid and EINVAL
if file descriptor is no valid tty.
* login/tst-grantpt.c: New file.
* login/Makefile (tests): Add tst-grantpt.
2001-07-06 Paul Eggert <eggert@twinsun.com>
* manual/argp.texi: Remove ignored LGPL copyright notice; it's
not appropriate for documentation anyway.
* manual/libc-texinfo.sh: "Library General Public License" ->
"Lesser General Public License".
2001-07-06 Andreas Jaeger <aj@suse.de>
* All files under GPL/LGPL version 2: Place under LGPL version
2.1.
1999-11-09 Andreas Jaeger <aj@suse.de>
* sysdeps/unix/sysv/linux/grantpt.c (grantpt): Add support for devfs.
* sysdeps/unix/sysv/linux/getpt.c (__getpt): Check for devfs.
Patch by German Jose Gomez Garcia <german@pinon.ccu.uniovi.es>.
* sysdeps/unix/sysv/linux/linux_fsinfo.h (DEVFS_SUPER_MAGIC): Added.
1998-09-17 19:34 Ulrich Drepper <drepper@cygnus.com>
* sysdeps/unix/sysv/sysv4/bits/utsname.h: Fix typo.
Patch by John Tobey <jtobey@banta-im.com>.
1998-09-17 Mark Kettenis <kettenis@phys.uva.nl>
* login/pty-internal.h: Removed. Moved constants related to the
`grantpt' helper program protocol to ...
* login/pty-private.h: ... here. New file.
* sysdeps/unix/sysv/linux/ptsname.c (ptsname): Reimplementation
to make the function work with kernels >= 2.1.115.
* sysdeps/unix/sysv/linux/getpt.c (getpt): Reimplement to call BSD
version if using the cloning device fails.
* sysdeps/unix/sysv/linux/grantpt.c: New file.
* sysdeps/unix/sysv/linux/unlockpt.c: General cleanup.
* sysdeps/unix/bsd/getpt.c (__getpt): Largely rewritten to allow
use by Linux specific code.
* sysdeps/unix/bsd/unlockpt.c: General cleanup.
* sysdeps/unix/grantpt.c: Largely rewritten. (pts_name): New
function. (grantpt): Use pts_name, check group and permission
mode in addition to owner. Try to set the owner, group and
permission mode first without invoking the helper program.
* login/programs/pt_chown.c: Largely rewritten. Add argp and
internationalization support. Use symbolic constants instead of
hardwired numbers for permission mode.
* sysdeps/unix/bsd/ptsname.c: New file.
1998-09-17 22:04 Tim Waugh <tim@cyberelk.demon.co.uk>
* posix/wordexp-test.c: Undo last change.
* posix/wordexp.c: Undo last change.