CVE-2013-2207, BZ #15755: Disable pt_chown.

The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.

Pre-conditions for the attack:

 * Attacker with local user account
 * Kernel with FUSE support
 * "user_allow_other" in /etc/fuse.conf
 * Victim with allocated slave in /dev/pts

Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own.  It cannot access /dev/pts/ptmx however.

In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.

ChangeLog

@@ -1,3 +1,24 @@
+2013-07-21  Siddhesh Poyarekar  <siddhesh@redhat.com>
+	    Andreas Schwab  <schwab@suse.de>
+	    Roland McGrath  <roland@hack.frob.com>
+	    Joseph Myers  <joseph@codesourcery.com>
+	    Carlos O'Donell  <carlos@redhat.com>
+
+	[BZ #15755]
+	* config.h.in: Define HAVE_PT_CHOWN.
+	* config.make.in (build-pt-chown): New variable.
+	* configure.in (--enable-pt_chown): New configure option.
+	* configure: Regenerate.
+	* login/Makefile: Include Makeconfig.  Build pt_chown only if
+	build-pt-chown is enabled.
+	* sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
+	pt_chown to fix pty ownership.
+	* sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
+	CLOSE_ALL_FDS.
+	* manual/install.texi (Configuring and compiling): Mention
+	--enable-pt_chown. Add @findex for grantpt.
+	* INSTALL: Regenerate.
+
 2013-07-20  David S. Miller  <davem@davemloft.net>
 
 	* sysdeps/sparc/fpu/libm-test-ulps: Update ULPs to handle minor

INSTALL

@@ -136,6 +136,18 @@ will be used, and CFLAGS sets optimization options for the compiler.
 `--enable-lock-elision=yes'
      Enable lock elision for pthread mutexes by default.
 
+`--enable-pt_chown'
+     The file `pt_chown' is a helper binary for `grantpt' (*note
+     Pseudo-Terminals: Allocation.) that is installed setuid root to
+     fix up pseudo-terminal ownership.  It is not built by default
+     because systems using the Linux kernel are commonly built with the
+     `devpts' filesystem enabled and mounted at `/dev/pts', which
+     manages pseudo-terminal ownership automatically.  By using
+     `--enable-pt_chown', you may build `pt_chown' and install it
+     setuid and owned by `root'.  The use of `pt_chown' introduces
+     additional security risks to the system and you should enable it
+     only if you understand and accept those risks.
+
 `--build=BUILD-SYSTEM'
 `--host=HOST-SYSTEM'
      These options are for cross-compiling.  If you specify both

NEWS

@@ -21,7 +21,14 @@ Version 2.18
   15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426,
   15429, 15431, 15432, 15441, 15442, 15448, 15465, 15480, 15485, 15488,
   15490, 15492, 15493, 15497, 15506, 15529, 15536, 15553, 15577, 15583,
-  15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711.
+  15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711, 15755.
+
+* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
+  has been fixed by disabling the use of pt_chown (Bugzilla #15755).
+  Distributions can re-enable building and using pt_chown via the new configure
+  option `--enable-pt_chown'.  Enabling the use of pt_chown carries with it
+  considerable security risks and should only be used if the distribution
+  understands and accepts the risks.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).

config.h.in

@@ -238,4 +238,7 @@
 /* The ARM hard-float ABI is being used.  */
 #undef HAVE_ARM_PCS_VFP
 
+/* The pt_chown binary is being built and used by grantpt.  */
+#undef HAVE_PT_CHOWN
+
 #endif

config.make.in

@@ -95,6 +95,7 @@ link-obsolete-rpc = @link_obsolete_rpc@
 build-nscd = @build_nscd@
 use-nscd = @use_nscd@
 build-hardcoded-path-in-tests= @hardcoded_path_in_tests@
+build-pt-chown = @build_pt_chown@
 
 # Build tools.
 CC = @CC@

configure

@@ -647,6 +647,7 @@ multi_arch
 base_machine
 add_on_subdirs
 add_ons
+build_pt_chown
 build_nscd
 link_obsolete_rpc
 libc_cv_nss_crypt
@@ -756,6 +757,7 @@ enable_obsolete_rpc
 enable_systemtap
 enable_build_nscd
 enable_nscd
+enable_pt_chown
 with_cpu
 '
       ac_precious_vars='build_alias
@@ -1421,6 +1423,7 @@ Optional Features:
   --enable-systemtap      enable systemtap static probe points [default=no]
   --disable-build-nscd    disable building and installing the nscd daemon
   --disable-nscd          library functions will not contact the nscd daemon
+  --enable-pt_chown       Enable building and installing pt_chown
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -3711,6 +3714,19 @@ else
 fi
 
 
+# Check whether --enable-pt_chown was given.
+if test "${enable_pt_chown+set}" = set; then :
+  enableval=$enable_pt_chown; build_pt_chown=$enableval
+else
+  build_pt_chown=no
+fi
+
+
+if test $build_pt_chown = yes; then
+  $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
+
+fi
+
 # The way shlib-versions is used to generate soversions.mk uses a
 # fairly simplistic model for name recognition that can't distinguish
 # i486-pc-linux-gnu fully from i486-pc-gnu.  So we mutate a $host_os

configure.in

@@ -353,6 +353,16 @@ AC_ARG_ENABLE([nscd],
 	      [use_nscd=$enableval],
 	      [use_nscd=yes])
 
+AC_ARG_ENABLE([pt_chown],
+	      [AS_HELP_STRING([--enable-pt_chown],
+	       [Enable building and installing pt_chown])],
+	      [build_pt_chown=$enableval],
+	      [build_pt_chown=no])
+AC_SUBST(build_pt_chown)
+if test $build_pt_chown = yes; then
+  AC_DEFINE(HAVE_PT_CHOWN)
+fi
+
 # The way shlib-versions is used to generate soversions.mk uses a
 # fairly simplistic model for name recognition that can't distinguish
 # i486-pc-linux-gnu fully from i486-pc-gnu.  So we mutate a $host_os

login/Makefile

@@ -30,9 +30,15 @@ routines := getlogin getlogin_r setlogin getlogin_r_chk \
 
 CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
 
-others = utmpdump pt_chown
+others = utmpdump
+
+include ../Makeconfig
+
+ifeq (yes,$(build-pt-chown))
+others += pt_chown
 others-pie = pt_chown
 install-others-programs = $(inst_libexecdir)/pt_chown
+endif
 
 subdir-dirs = programs
 vpath %.c programs

manual/install.texi

@@ -163,6 +163,20 @@ so that they can be invoked directly.
 @item --enable-lock-elision=yes
 Enable lock elision for pthread mutexes by default.
 
+@pindex pt_chown
+@findex grantpt
+@item --enable-pt_chown
+The file @file{pt_chown} is a helper binary for @code{grantpt}
+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
+fix up pseudo-terminal ownership.  It is not built by default because
+systems using the Linux kernel are commonly built with the @code{devpts}
+filesystem enabled and mounted at @file{/dev/pts}, which manages
+pseudo-terminal ownership automatically.  By using
+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
+setuid and owned by @code{root}.  The use of @file{pt_chown} introduces
+additional security risks to the system and you should enable it only if
+you understand and accept those risks.
+
 @item --build=@var{build-system}
 @itemx --host=@var{host-system}
 These options are for cross-compiling.  If you specify both options and

sysdeps/unix/grantpt.c

@@ -173,9 +173,10 @@ grantpt (int fd)
   retval = 0;
   goto cleanup;
 
-  /* We have to use the helper program.  */
+  /* We have to use the helper program if it is available.  */
  helper:;
 
+#ifdef HAVE_PT_CHOWN
   pid_t pid = __fork ();
   if (pid == -1)
     goto cleanup;
@@ -231,6 +232,7 @@ grantpt (int fd)
 	    assert(! "getpt: internal error: invalid exit code from pt_chown");
 	  }
     }
+#endif
 
  cleanup:
   if (buf != _buf)

sysdeps/unix/sysv/linux/grantpt.c

@@ -11,7 +11,7 @@
 
 #include "pty-private.h"
 
-
+#if HAVE_PT_CHOWN
 /* Close all file descriptors except the one specified.  */
 static void
 close_all_fds (void)
@@ -39,5 +39,6 @@ close_all_fds (void)
     }
 }
 # define CLOSE_ALL_FDS() close_all_fds()
+#endif
 
 #include <sysdeps/unix/grantpt.c>