diff options
author | Carlos O'Donell <carlos@redhat.com> | 2013-07-19 02:42:03 -0400 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2013-07-21 15:39:55 -0400 |
commit | e4608715e6e1dd2adc91982fd151d5ba4f761d69 (patch) | |
tree | 04bc13d3736e14045f0f9fc37e0303a067f943cf /NEWS | |
parent | da2d62df77de66e5de5755228759f8bc18481871 (diff) | |
download | glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.gz glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.xz glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.zip |
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk.
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/NEWS b/NEWS index c39157da61..4b2d5ca6d6 100644 --- a/NEWS +++ b/NEWS @@ -21,7 +21,14 @@ Version 2.18 15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426, 15429, 15431, 15432, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490, 15492, 15493, 15497, 15506, 15529, 15536, 15553, 15577, 15583, - 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711. + 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711, 15755. + +* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal + has been fixed by disabling the use of pt_chown (Bugzilla #15755). + Distributions can re-enable building and using pt_chown via the new configure + option `--enable-pt_chown'. Enabling the use of pt_chown carries with it + considerable security risks and should only be used if the distribution + understands and accepts the risks. * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla #15078). |