about summary refs log tree commit diff
path: root/ChangeLog
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@redhat.com>2013-07-19 02:42:03 -0400
committerCarlos O'Donell <carlos@redhat.com>2013-07-21 15:39:55 -0400
commite4608715e6e1dd2adc91982fd151d5ba4f761d69 (patch)
tree04bc13d3736e14045f0f9fc37e0303a067f943cf /ChangeLog
parentda2d62df77de66e5de5755228759f8bc18481871 (diff)
downloadglibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.gz
glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.xz
glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.zip
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.

Pre-conditions for the attack:

 * Attacker with local user account
 * Kernel with FUSE support
 * "user_allow_other" in /etc/fuse.conf
 * Victim with allocated slave in /dev/pts

Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own.  It cannot access /dev/pts/ptmx however.

In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog21
1 files changed, 21 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index e709aca1a1..49c346d20a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,24 @@
+2013-07-21  Siddhesh Poyarekar  <siddhesh@redhat.com>
+	    Andreas Schwab  <schwab@suse.de>
+	    Roland McGrath  <roland@hack.frob.com>
+	    Joseph Myers  <joseph@codesourcery.com>
+	    Carlos O'Donell  <carlos@redhat.com>
+
+	[BZ #15755]
+	* config.h.in: Define HAVE_PT_CHOWN.
+	* config.make.in (build-pt-chown): New variable.
+	* configure.in (--enable-pt_chown): New configure option.
+	* configure: Regenerate.
+	* login/Makefile: Include Makeconfig.  Build pt_chown only if
+	build-pt-chown is enabled.
+	* sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
+	pt_chown to fix pty ownership.
+	* sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
+	CLOSE_ALL_FDS.
+	* manual/install.texi (Configuring and compiling): Mention
+	--enable-pt_chown. Add @findex for grantpt.
+	* INSTALL: Regenerate.
+
 2013-07-20  David S. Miller  <davem@davemloft.net>
 
 	* sysdeps/sparc/fpu/libm-test-ulps: Update ULPs to handle minor