Date: Sun, 4 Jun 2017 01:15:28 +0200 From: Karel Zak <kzak@...hat.com> To: Solar Designer <solar@...nwall.com> Cc: oss-security@...ts.openwall.com Subject: Re: TIOCSTI not going away On Sat, Jun 03, 2017 at 06:58:13PM +0200, Solar Designer wrote: > In fact, just 2 days ago util-linux 2.30 was released with > the issue still deliberately not fixed: > > https://marc.info/?l=util-linux-ng&m=149640144016887 > > | CVE-2016-2779 - This security issue is NOT FIXED yet. It is possible to > | disable the ioctl TIOCSTI by setsid() only. Unfortunately, setsid() > | has well-defined use cases in su(1) and runuser(1) and any changes > | would introduce regressions. It seems we need a better way -- ideally > | another ioctl to disable TIOCSTI without setsid() or in a userspace > | implemented pty container (planned as experimental su(1) feature). > > I am posting this message primarily to let maintainers of userspace > su-like programs know that they should in fact proceed to implement I'm working on this (su-* branches on github), but I'd like to do some refactoring to implement. So, let's hope the next release. Karel -- Karel Zak <kzak@...hat.com> http://karelzak.blogspot.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.