Re: Re: CVE request: tmux local denial of service (2009)

[Guido Berhoerster <guido+openwall.com () berhoerster name>]

* Florian Weimer <fweimer () redhat com> [2014-01-09 20:06]:
> On 01/09/2014 07:44 PM, cve-assign () mitre org wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > allows users to override the socket path using the -S command line option.
> >
> > We'd like to consider this ineligible for a CVE unless there's new
> > information. In many cases, "ability to cause an inconvenience" is not
> > sufficient for a CVE assignment. The nature of the application
> > apparently makes it unlikely that this would, for example, disrupt
> > unattended root-executed scripts that have a hardcoded tmux command
> > line.
>
> I reported this here because tmux is sometimes used to start servers
> on system boot:
>
> http://unix.stackexchange.com/questions/71372/using-tmux-on-boot-up-of-linux-centos
> http://askubuntu.com/questions/62434/why-does-upstart-keep-respawning-my-process
> https://bowerstudios.com/node/953
> http://code.google.com/p/webrtc2sip/issues/detail?id=80

In that case the right thing to do is setting TMPDIR to a
directory only writable by the user (TMPDIR/-S/-L are documented
in the manpage so this can hardly count as suprising to users).
The development version also supports TMUX_TMPDIR in which
sockets are created without a subdirectory and which e.g. may be
set to XDG_RUNTIME_DIR.
The Debian patch makes tmux potentially less secure due to being
setgid and it was rejected by upstream, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529082#12
In 2011 Debian reverted to the upstream behavior and no longer
carries the patch referenced in the above bug report.
-- 
Guido Berhoerster