mirror of
				https://sourceware.org/git/glibc.git
				synced 2025-10-24 13:33:08 +03:00 
			
		
		
		
	The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk.
		
			
				
	
	
		
			45 lines
		
	
	
		
			1.0 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			45 lines
		
	
	
		
			1.0 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| #include <assert.h>
 | |
| #include <ctype.h>
 | |
| #include <dirent.h>
 | |
| #include <errno.h>
 | |
| #include <fcntl.h>
 | |
| #include <paths.h>
 | |
| #include <stdlib.h>
 | |
| #include <unistd.h>
 | |
| 
 | |
| #include <not-cancel.h>
 | |
| 
 | |
| #include "pty-private.h"
 | |
| 
 | |
| #if HAVE_PT_CHOWN
 | |
| /* Close all file descriptors except the one specified.  */
 | |
| static void
 | |
| close_all_fds (void)
 | |
| {
 | |
|   DIR *dir = __opendir ("/proc/self/fd");
 | |
|   if (dir != NULL)
 | |
|     {
 | |
|       struct dirent64 *d;
 | |
|       while ((d = __readdir64 (dir)) != NULL)
 | |
| 	if (isdigit (d->d_name[0]))
 | |
| 	  {
 | |
| 	    char *endp;
 | |
| 	    long int fd = strtol (d->d_name, &endp, 10);
 | |
| 	    if (*endp == '\0' && fd != PTY_FILENO && fd != dirfd (dir))
 | |
| 	      close_not_cancel_no_status (fd);
 | |
| 	  }
 | |
| 
 | |
|       __closedir (dir);
 | |
| 
 | |
|       int nullfd = open_not_cancel_2 (_PATH_DEVNULL, O_RDONLY);
 | |
|       assert (nullfd == STDIN_FILENO);
 | |
|       nullfd = open_not_cancel_2 (_PATH_DEVNULL, O_WRONLY);
 | |
|       assert (nullfd == STDOUT_FILENO);
 | |
|       __dup2 (STDOUT_FILENO, STDERR_FILENO);
 | |
|     }
 | |
| }
 | |
| # define CLOSE_ALL_FDS() close_all_fds()
 | |
| #endif
 | |
| 
 | |
| #include <sysdeps/unix/grantpt.c>
 |