e4608715e6
The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. |
||
---|---|---|
.. | ||
programs | ||
Makefile | ||
Versions | ||
endutxent.c | ||
forkpty.c | ||
getlogin.c | ||
getlogin_r.c | ||
getlogin_r_chk.c | ||
getpt.c | ||
getutent.c | ||
getutent_r.c | ||
getutid.c | ||
getutid_r.c | ||
getutline.c | ||
getutline_r.c | ||
getutmp.c | ||
getutmpx.c | ||
getutxent.c | ||
getutxid.c | ||
getutxline.c | ||
grantpt.c | ||
lastlog.h | ||
login.c | ||
login_tty.c | ||
logout.c | ||
logwtmp.c | ||
openpty.c | ||
ptsname.c | ||
ptsname_r_chk.c | ||
pty.h | ||
pututxline.c | ||
setlogin.c | ||
setutxent.c | ||
tst-grantpt.c | ||
tst-utmp.c | ||
tst-utmpx.c | ||
unlockpt.c | ||
updwtmp.c | ||
updwtmpx.c | ||
utmp-private.h | ||
utmp.h | ||
utmp_file.c | ||
utmpname.c | ||
utmpxname.c |