From e4608715e6e1dd2adc91982fd151d5ba4f761d69 Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Fri, 19 Jul 2013 02:42:03 -0400 Subject: CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. --- login/Makefile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'login') diff --git a/login/Makefile b/login/Makefile index 0bfe643..430c6d9 100644 --- a/login/Makefile +++ b/login/Makefile @@ -30,9 +30,15 @@ routines := getlogin getlogin_r setlogin getlogin_r_chk \ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' -others = utmpdump pt_chown +others = utmpdump + +include ../Makeconfig + +ifeq (yes,$(build-pt-chown)) +others += pt_chown others-pie = pt_chown install-others-programs = $(inst_libexecdir)/pt_chown +endif subdir-dirs = programs vpath %.c programs -- cgit v1.1