e4608715e6
The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. |
||
|---|---|---|
| .. | ||
| programs | ||
| Makefile | ||
| Versions | ||
| endutxent.c | ||
| forkpty.c | ||
| getlogin.c | ||
| getlogin_r.c | ||
| getlogin_r_chk.c | ||
| getpt.c | ||
| getutent.c | ||
| getutent_r.c | ||
| getutid.c | ||
| getutid_r.c | ||
| getutline.c | ||
| getutline_r.c | ||
| getutmp.c | ||
| getutmpx.c | ||
| getutxent.c | ||
| getutxid.c | ||
| getutxline.c | ||
| grantpt.c | ||
| lastlog.h | ||
| login.c | ||
| login_tty.c | ||
| logout.c | ||
| logwtmp.c | ||
| openpty.c | ||
| ptsname.c | ||
| ptsname_r_chk.c | ||
| pty.h | ||
| pututxline.c | ||
| setlogin.c | ||
| setutxent.c | ||
| tst-grantpt.c | ||
| tst-utmp.c | ||
| tst-utmpx.c | ||
| unlockpt.c | ||
| updwtmp.c | ||
| updwtmpx.c | ||
| utmp-private.h | ||
| utmp.h | ||
| utmp_file.c | ||
| utmpname.c | ||
| utmpxname.c | ||