This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal

From: Mike Frysinger <vapier at gentoo dot org>
To: libc-alpha at sourceware dot org
Cc: Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>, Markus Trippelsdorf <markus at trippelsdorf dot de>, "Carlos O'Donell" <carlos at redhat dot com>, David Miller <davem at davemloft dot net>, Roland McGrath <roland at hack dot frob dot com>, Andreas Schwab <schwab at suse dot de>, Andreas Jaeger <aj at suse dot com>, "Joseph S. Myers" <joseph at codesourcery dot com>, Ryan Arnold <rsa at us dot ibm dot com>, Alexandre Oliva <aoliva at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>
Date: Sun, 25 Aug 2013 03:44:39 -0400
Subject: Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal
References: <51E8D4C1 dot 9000705 at redhat dot com> <20130725140700 dot GA355 at x4> <CAAHN_R1xVBWBriz8iPrWVTYanbeLKuoULgifTg3CGZsXeq5g0Q at mail dot gmail dot com>

On Thursday 25 July 2013 10:09:50 Siddhesh Poyarekar wrote:
> On 25 July 2013 19:37, Markus Trippelsdorf wrote:
> > On 2013.07.19 at 01:55 -0400, Carlos O'Donell wrote:
> >> CVE-2013-2207: pt_chown tricked into granting access to another
> >> users pseudo-terminal
> > 
> > Just a heads up.
> > 
> > This patch causes Konsole and tmux startup failures on my machine, e.g.:
> >  konsole(364)/kdecore (KPty/K3Process) KPty::open: Can't open a pseudo
> >  teletype
> > 
> > To fix this issue I had to remount devpts with gid=5:
> >  mount -o remount,gid=5 /dev/pts/
> > 
> > My original fstab had this entry:
> >  devpts  /dev/pts        devpts      rw,relatime,mode=600   0 0
> 
> That's expected.  /dev/pts should always be mounted with gid=5 where 5
> is the gid of the tty group.  It's a distribution bug if that was how
> it set up the system by default.

the other common way i've seen this be triggered is chroots.  since devpts is 
a shared mount point, if you mount it somewhere else (`mount -t devpts devpts 
/some/chroot/dev/pts`), it is actually shared (including mount options) with 
the original one.  so people have to fix up their chroot scripts to not mess up 
those options.
-mike

Attachment: signature.asc
Description: This is a digitally signed message part.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]