Bug#850702: CVE-2017-5226 -- bubblewrap escape

2017-01-09 Thread up201407890
Quoting "Simon McVittie" : Control: reassign 850702 bubblewrap 0~git160513-1 Control: forwarded 850702 https://github.com/projectatomic/bubblewrap/issues/142 Control: tags 850702 + security upstream On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407...@alunos.dcc.fc.up.pt

Bug#850702: CVE-2017-5226 -- bubblewrap escape

2017-01-09 Thread up201407890
Source: bubblewrap Version: All Severity: grave Hi, When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. This has

Bug#841856: Correction of CVE-2016-7543 is incomplete

2016-10-24 Thread up201407890
Quoting "Ola Lundqvist" : This is known. I "complained" at the time, as it can be seen here: https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html Version: all (see note below) Hardware: all Operating system: Debian GNU Linux (but all should be affected)

Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

2016-10-03 Thread up201407890
Quoting "Simon Ruderich" : It's an invasion of privacy, as I said, for normal users. In your case, if you're changing to an unprivileged user without a shell nor password, probably some sort of "locked" account, how is an attacker going to make use of TIOCSTI to exploit

Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

2016-10-03 Thread up201407890
Quoting "Karel Zak" : Anyways, it is bad admin practice and/or an invasion of privacy to su to an unprivileged user. This has been talked alot in the past, in most of the times even closed as "WONTFIX". What I'm saying is, it's OK if you can't come up with something.

Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

2016-10-03 Thread up201407890
Quoting "Simon Ruderich" : Loss of job control in the shell. On Mon, Oct 03, 2016 at 04:22:47PM +0200, Karel Zak wrote: The problem is that we don't want to use setsid() in all situations, because it will introduce regressions. From util-linux ReleaseNotes: Hello,

Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

2016-10-03 Thread up201407890
Quoting "Simon Ruderich" : Btw, at least in redhat based systems, su uses setsid() when the -c option is given, just like use_pty in sudo. Not sure if this is true in debian. On Sun, Oct 02, 2016 at 10:54:06AM +0200, up201407...@alunos.dcc.fc.up.pt wrote: Hello

Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

2016-10-02 Thread up201407890
Hello Simon, This has been recently patched by using seccomp to blacklist this ioctl. https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2 This message was sent using IMP, the Internet Messaging

Bug#838599: policycoreutils SELinux sandbox escape via TIOCSTI ioctl

2016-09-22 Thread up201407890
Package: policycoreutils Severity: important Tags: security Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the

Bug#836003: rsyslogd terminal escape sequences injection

2016-08-29 Thread up201407890
Package: rsyslog Version: 7.4.8 Severity: important Tags: security Hi, It seems to me that it is possible to inject terminal escape sequences into log files via syslog(3) # tail -f /var/log/messages Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution failed [\_GPE._L10]

Bug#815922: runuser tty hijacking via TIOCSTI ioctl

2016-02-29 Thread up201407890
Quoting "Phil Susi" : On 2/27/2016 4:23 AM, up201407...@alunos.dcc.fc.up.pt wrote: And yes, there would be no job control if you started a shell from there. This is why in "su" setsid() is called only with "-c", partially fixing the issue. If one would to "su - user" it would

Bug#815922: runuser tty hijacking via TIOCSTI ioctl

2016-02-27 Thread up201407890
Quoting "Phil Susi" : How does setsid() help this? And wouldn't it break the ability to use ctrl-c and ctrl-z on the child program ( since the child won't have a controlling terminal )? I would think the fix would be to simply flush the terminal input buffer after the child

Bug#815922: runuser tty hijacking via TIOCSTI ioctl

2016-02-25 Thread up201407890
Package: util-linux Version: all Severity: important When executing a program via "runuser -u nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been

Bug#812512: pkexec tty hijacking via TIOCSTI ioctl

2016-01-24 Thread up201407890
Package: policykit-1 Version: all Severity: important File: /usr/bin/pkexec When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege

Bug#786804: hwclock(8) SUID privilege escalation

2015-05-25 Thread up201407890
Package: util-linux Version: 2.26.2 Actually, all versions of util-linux are affected. Hello, Federico Bento here. During a recent assessment I have stumbled across a system which had hwclock(8) setuid root $ man hwclock | sed -n '223,231p' Users access and setuid Sometimes, you

Bug#769606: Overflow a2p utility

2014-11-14 Thread up201407890
Package: perl Version: 5 Hello. My name is Federico Manuel Bento, and i have found what it _appears_ to be a buffer overflow on the a2p (awk2perl) utility. It comes by default on several different systems. Tested on Fedora 20, Fedora 19, Debian, and works probably on every UNIX-likes