[Pkg-shadow-devel] Bug#505071: Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)

Paul Szabo psz at maths.usyd.edu.au
Mon Nov 10 20:36:18 UTC 2008


Dear Nekral,

Curious way of counting bugs. What do you mean exploitable: to do what?
(Surely is_my_tty cannot protect, being buggy itself.)

As I see things, the following bugs are present:

- bad selection of utmp entry [often choosing wrong]
- is_my_tty uses stat [should be lstat]
- is_my_tty compares rdev only [should also test dev ino etc]
- maybe is_my_tty should scrutinize path [ensure directory components
  are root-owned and safe]
- race between is_my_tty checks and chown
- chown of unsafe path [should be fchown anyway]

As things are, it is exploitable to elevate privileges from group utmp
to root. It is also buggy, often failing for legitimate use. Fixing all
bugs would be best; fixing some may already render it "safe" against
exploitation, and/or restore functionality.

Please, fix soon. Please change severity.

Cheers,

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia





More information about the Pkg-shadow-devel mailing list