oss-security June 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request -- coreutils -- tty

Re: [oss-security] CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl

From: Ludwig Nussel <ludwig.nussel_at_nospam>
Date: Tue Jun 28 2011 - 12:21:47 GMT
To: "Steven M. Christey" <coley@linus.mitre.org>

Ludwig Nussel wrote:
> Josh Bressers wrote:
> >----- Original Message -----
> >> Jan Lieskovsky wrote:
> >> > Hello Josh, Steve, vendors,
> >> >
> >> > based on Debian BTS report:
> >> > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
> >> > (first CVE-2011-XXYY required for Debian case)
> >> >
> >> > looked more into original report:
> >> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=173008
> >> >
> >> > and the first paragraph of [2] suggests:
> >> > "When starting a program via "su - user -c program" the user session
> >> > can escape to the parent session by using the TIOCSTI ioctl to push
> >> > characters into the input buffer. This allows for example a non-root
> >> > session to push "chmod 666 /etc/shadow" or similarly bad commands
> >> > into
> >> > the input buffer such that after the end of the session they are
> >> > executed."
> >> >
> >> > this should get a CVE-2005-YYZZ CVE id.
> >> >
> >> > Could you allocate these?
> >>
> >> ping! :-)
> >
> >I'm not sure if this should get two IDs. It's really one issue, which isn't
> >actually fixed in su.
> >
> >The fundamental issue is that tools like su and sudo keep the tty open.
> >The patch in question closes the tty for the case of su -c, but not for
> >just running su by itself. It is incomplete.
>
> I'm not worried too much about the interactive su case really. The
> usual direction there is user->root, not the other way around I
> suppose. "su -c" might be used by (%post) scripts though as seen
> with ikiwiki.

So can we have a CVE for that issue at least?

cu
Ludwig

-- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)