mirror of git://sourceware.org/git/glibc.git
e4608715e6
The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. |
||
|---|---|---|
| .. | ||
| bsd | ||
| i386 | ||
| inet | ||
| powerpc | ||
| sh | ||
| sysv/linux | ||
| x86_64 | ||
| Implies | ||
| Makefile | ||
| Subdirs | ||
| clock_gettime.c | ||
| clock_nanosleep.c | ||
| clock_settime.c | ||
| confstr.h | ||
| get_child_max.c | ||
| getlogin.c | ||
| getlogin_r.c | ||
| getpagesize.c | ||
| grantpt.c | ||
| make-syscalls.sh | ||
| s-proto-cancel.S | ||
| s-proto.S | ||
| setxid.h | ||
| sockatmark.c | ||
| stime.c | ||
| syscall-template.S | ||
| syscall.S | ||
| syscalls.list | ||
| sysdep.h | ||