Re: TTY pushback vulnerabilities / TIOCSTI

[Peter Bex <peter () more-magic net>]

On Tue, Mar 14, 2023 at 12:01:17PM +0100, Hanno Böck wrote:
> On Tue, 14 Mar 2023 11:46:33 +0100
> Peter Bex <peter () more-magic net> wrote:
>
> > Indeed, opendoas (the portable version of OpenBSD's "doas") has this
> > exact bug as well: https://github.com/Duncaen/OpenDoas/issues/106
>
> Though some context is relevant here: doas is a tool from OpenBSD.
> According to the Linux kernel commit message [1] OpenBSD has fixed this
> already 3 years ago by entirely removing TIOCSTI [2][3].

Indeed, the GitHub issue makes this clear as well (that's why I
specifically mentioned opendoas and not doas in general).
It just shows that even for security-minded folks it's a big trap
to fall into.

This is the case *especially* when either
a) the developers are mainly working on OpenBSD
or
b) it's a port from OpenBSD

Because it isn't even an issue there.  And you wouldn't expect an
OpenBSD-developer to include a PTY allocating feature unless they
explicitly also target Linux.

From a very cursory search, it looks like NetBSD and FreeBSD haven't
disabled the option either, so more fun to be had if they include
doas versions as well.

Cheers,
Peter

Attachment: signature.asc
Description: