[Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

Simon Ruderich he29heri at cip.cs.fau.de
Sat Oct 1 18:17:12 UTC 2016


Package: login
Version: 1:4.2-3+deb8u1
Followup-For: Bug #628843

Hello,

Any news on this?

I'm deeply worried that this security issue in su was not fixed
since it was reported over 5 years ago! It still affects jessie
and sid. And the possible implications are not mentioned in the
man page.

As this breaks the use of su to change to less-privileged users,
what is the recommendation to perform this task without using su?

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x1972F726F0D556E7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20161001/cb3bf544/attachment.sig>


More information about the Pkg-shadow-devel mailing list