Quoting "Simon McVittie" :
Control: reassign 850702 bubblewrap 0~git160513-1
Control: forwarded 850702
https://github.com/projectatomic/bubblewrap/issues/142
Control: tags 850702 + security upstream
On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407...@alunos.dcc.fc.up.pt
Source: bubblewrap
Version: All
Severity: grave
Hi,
When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.
This has
Quoting "Ola Lundqvist" :
This is known.
I "complained" at the time, as it can be seen here:
https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html
Version: all (see note below)
Hardware: all
Operating system: Debian GNU Linux (but all should be affected)
Quoting "Simon Ruderich" :
It's an invasion of privacy, as I said, for normal users.
In your case, if you're changing to an unprivileged user without a
shell nor password, probably some sort of "locked" account, how is an
attacker going to make use of TIOCSTI to exploit
Quoting "Karel Zak" :
Anyways, it is bad admin practice and/or an invasion of privacy to su
to an unprivileged user.
This has been talked alot in the past, in most of the times even
closed as "WONTFIX".
What I'm saying is, it's OK if you can't come up with something.
Quoting "Simon Ruderich" :
Loss of job control in the shell.
On Mon, Oct 03, 2016 at 04:22:47PM +0200, Karel Zak wrote:
The problem is that we don't want to use setsid() in all situations,
because it will introduce regressions. From util-linux ReleaseNotes:
Hello,
Quoting "Simon Ruderich" :
Btw, at least in redhat based systems, su uses setsid() when the -c
option is given, just like use_pty in sudo. Not sure if this is true
in debian.
On Sun, Oct 02, 2016 at 10:54:06AM +0200,
up201407...@alunos.dcc.fc.up.pt wrote:
Hello
Hello Simon,
This has been recently patched by using seccomp to blacklist this ioctl.
https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2
This message was sent using IMP, the Internet Messaging
Package: policycoreutils
Severity: important
Tags: security
Hi,
When executing a program via the SELinux sandbox, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
escape the
Package: rsyslog
Version: 7.4.8
Severity: important
Tags: security
Hi,
It seems to me that it is possible to inject terminal escape sequences
into log files via syslog(3)
# tail -f /var/log/messages
Aug 23 13:50:33 ghetto kernel: ACPI Error: Method parse/execution
failed [\_GPE._L10]
Quoting "Phil Susi" :
On 2/27/2016 4:23 AM, up201407...@alunos.dcc.fc.up.pt wrote:
And yes, there would be no job control if you started a shell from
there. This is why in "su" setsid() is called only with "-c", partially
fixing the issue. If one would to "su - user" it would
Quoting "Phil Susi" :
How does setsid() help this? And wouldn't it break the ability to use
ctrl-c and ctrl-z on the child program ( since the child won't have a
controlling terminal )? I would think the fix would be to simply flush
the terminal input buffer after the child
Package: util-linux
Version: all
Severity: important
When executing a program via "runuser -u nonpriv program" the
nonpriv session can
escape to the parent session by using the TIOCSTI ioctl to push
characters into the
terminal's input buffer, allowing privilege escalation.
This issue has been
Package: policykit-1
Version: all
Severity: important
File: /usr/bin/pkexec
When executing a program via "pkexec --user nonpriv program" the
nonpriv session can escape to the parent session by using the TIOCSTI
ioctl to push characters into the terminal's input buffer, allowing
privilege
Package: util-linux
Version: 2.26.2
Actually, all versions of util-linux are affected.
Hello, Federico Bento here.
During a recent assessment I have stumbled across a system which had
hwclock(8) setuid root
$ man hwclock | sed -n '223,231p'
Users access and setuid
Sometimes, you
Package: perl
Version: 5
Hello. My name is Federico Manuel Bento, and i have found what it
_appears_ to be a buffer overflow on the a2p (awk2perl)
utility. It comes by default on several different systems.
Tested on Fedora 20, Fedora 19, Debian, and works probably on every
UNIX-likes
16 matches
Mail list logo