Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Feb 2016 17:14:09 +0500
From: "Alexander E. Patrakov" <patrakov@...il.com>
To: oss-security@...ts.openwall.com, up201407890@...nos.dcc.fc.up.pt
Cc: cve-assign@...re.org
Subject: Re: Re: CVE Request: util-linux runuser tty hijacking
 via TIOCSTI ioctl

27.02.2016 18:44, cve-assign@...re.org пишет:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> When executing a program via "runuser -u nonpriv program" the
>> nonpriv session can
>> escape to the parent session by using the TIOCSTI ioctl to push
>> characters into the
>> terminal's input buffer
>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
>
> Use CVE-2016-2779.

One more case:

chroot --userspec=someuser:somegroup / /path/to/test

This also runs "id" at the end.

-- 
Alexander E. Patrakov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.