Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 4 Jun 2017 01:15:28 +0200
From: Karel Zak <kzak@...hat.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: TIOCSTI not going away

On Sat, Jun 03, 2017 at 06:58:13PM +0200, Solar Designer wrote:
> In fact, just 2 days ago util-linux 2.30 was released with
> the issue still deliberately not fixed:
> 
> https://marc.info/?l=util-linux-ng&m=149640144016887
> 
> | CVE-2016-2779 - This security issue is NOT FIXED yet.  It is possible to
> |   disable the ioctl TIOCSTI by setsid() only.  Unfortunately, setsid()
> |   has well-defined use cases in su(1) and runuser(1) and any changes
> |   would introduce regressions.  It seems we need a better way -- ideally
> |   another ioctl to disable TIOCSTI without setsid() or in a userspace
> |   implemented pty container (planned as experimental su(1) feature).
> 
> I am posting this message primarily to let maintainers of userspace
> su-like programs know that they should in fact proceed to implement

I'm working on this (su-* branches on github), but I'd like to do some 
refactoring to implement. So, let's hope the next release.

    Karel


-- 
 Karel Zak  <kzak@...hat.com>
 http://karelzak.blogspot.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ