oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl

From: Michael Gilbert <michael.s.gilbert () gmail com>
Date: Mon, 6 Jun 2011 16:39:06 -0400
On Mon, Jun 6, 2011 at 1:22 PM, Josh Bressers wrote:

----- Original Message -----

Hello Josh, Steve, vendors,

based on Debian BTS report:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
(first CVE-2011-XXYY required for Debian case)

looked more into original report:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=173008

and the first paragraph of [2] suggests:
"When starting a program via "su - user -c program" the user session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the input buffer. This allows for example a non-root
session to push "chmod 666 /etc/shadow" or similarly bad commands into
the input buffer such that after the end of the session they are
executed."

this should get a CVE-2005-YYZZ CVE id.



This really shouldn't get a CVE id. It's well known, and sadly not easy to
fix. There are more details in this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=479145

I would classify this as an administration issue, not a flaw in su or sudo.
If you're running arbitrary things, you're in far more trouble than this.

I'm happy to let MITRE overrule me.


There is a real exposure here (although somewhat minor), and there are
existing patches that clearly bound/fix the problem, so it should get
an id (in my opinion of course).

Best wishes,
Mike
Previous By Date Next
Previous By Thread Next

Current thread: