Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Jun 2011 11:55:11 +0200
From: Ludwig Nussel <>
Subject: Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl

Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>    based on Debian BTS report:
>    [1]
>        (first CVE-2011-XXYY required for Debian case)
> looked more into original report:
> [2]
> and the first paragraph of [2] suggests:
> "When starting a program via "su - user -c program" the user session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the input buffer.  This allows for example a non-root
> session to push "chmod 666 /etc/shadow" or similarly bad commands into
> the input buffer such  that after the end of the session they are
> executed."

The issue also reminds me that there are several su implemenations.
On Fedora and SUSE we have a patched coreutils version, Debian uses
the one from shadow-utils and then there's also a su from
SimplePAMApps, used by e.g. Owl. Of course each one has it's own
quirks and weird features. Does anyone still remember why a
particular implementation was chosen? :-)


 (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend├Ârffer, HRB 16746 (AG N├╝rnberg) 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ