[Pkg-shadow-devel] Bug#505071: Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
psz at maths.usyd.edu.au
Mon Nov 10 20:36:18 UTC 2008
Curious way of counting bugs. What do you mean exploitable: to do what?
(Surely is_my_tty cannot protect, being buggy itself.)
As I see things, the following bugs are present:
- bad selection of utmp entry [often choosing wrong]
- is_my_tty uses stat [should be lstat]
- is_my_tty compares rdev only [should also test dev ino etc]
- maybe is_my_tty should scrutinize path [ensure directory components
are root-owned and safe]
- race between is_my_tty checks and chown
- chown of unsafe path [should be fchown anyway]
As things are, it is exploitable to elevate privileges from group utmp
to root. It is also buggy, often failing for legitimate use. Fixing all
bugs would be best; fixing some may already render it "safe" against
exploitation, and/or restore functionality.
Please, fix soon. Please change severity.
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the Pkg-shadow-devel