oss-sec mailing list archives
Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl
From: Josh Bressers <bressers () redhat com>
Date: Mon, 6 Jun 2011 13:22:02 -0400 (EDT)
----- Original Message -----
Hello Josh, Steve, vendors, based on Debian BTS report: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843 (first CVE-2011-XXYY required for Debian case) looked more into original report: [2] https://bugzilla.redhat.com/show_bug.cgi?id=173008 and the first paragraph of [2] suggests: "When starting a program via "su - user -c program" the user session can escape to the parent session by using the TIOCSTI ioctl to push characters into the input buffer. This allows for example a non-root session to push "chmod 666 /etc/shadow" or similarly bad commands into the input buffer such that after the end of the session they are executed." this should get a CVE-2005-YYZZ CVE id.
This really shouldn't get a CVE id. It's well known, and sadly not easy to fix. There are more details in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=479145 I would classify this as an administration issue, not a flaw in su or sudo. If you're running arbitrary things, you're in far more trouble than this. I'm happy to let MITRE overrule me. -- JB
Current thread:
- CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Jan Lieskovsky (Jun 02)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Josh Bressers (Jun 06)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Michael Gilbert (Jun 06)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl daniel () ruoso com (Jun 06)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Josh Bressers (Jun 08)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Ludwig Nussel (Jun 09)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Josh Bressers (Jun 06)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Ludwig Nussel (Jun 10)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Bernhard Rosenkraenzer (Jun 10)
- Re: /bin/su (was: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl) Ludwig Nussel (Jun 15)
- Re: /bin/su (was: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl) Luka Marinko (Jun 15)
- Re: /bin/su (was: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl) Ondrej Vasik (Jun 15)
- Re: /bin/su (was: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl) Nicolas François (Jun 15)
- Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Bernhard Rosenkraenzer (Jun 10)