Date: Sun, 4 Jun 2017 01:15:28 +0200 From: Karel Zak <kzak@...hat.com> To: Solar Designer <solar@...nwall.com> Cc: oss-security@...ts.openwall.com Subject: Re: TIOCSTI not going away On Sat, Jun 03, 2017 at 06:58:13PM +0200, Solar Designer wrote: > In fact, just 2 days ago util-linux 2.30 was released with > the issue still deliberately not fixed: > > https://marc.info/?l=util-linux-ng&m=149640144016887 > > | CVE-2016-2779 - This security issue is NOT FIXED yet. It is possible to > | disable the ioctl TIOCSTI by setsid() only. Unfortunately, setsid() > | has well-defined use cases in su(1) and runuser(1) and any changes > | would introduce regressions. It seems we need a better way -- ideally > | another ioctl to disable TIOCSTI without setsid() or in a userspace > | implemented pty container (planned as experimental su(1) feature). > > I am posting this message primarily to let maintainers of userspace > su-like programs know that they should in fact proceed to implement I'm working on this (su-* branches on github), but I'd like to do some refactoring to implement. So, let's hope the next release. Karel -- Karel Zak <kzak@...hat.com> http://karelzak.blogspot.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ