summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@redhat.com>2013-07-19 02:42:03 -0400
committerCarlos O'Donell <carlos@redhat.com>2013-07-21 15:39:55 -0400
commite4608715e6e1dd2adc91982fd151d5ba4f761d69 (patch)
tree04bc13d3736e14045f0f9fc37e0303a067f943cf
parentda2d62df77de66e5de5755228759f8bc18481871 (diff)
downloadglibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.gz
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk.
-rw-r--r--ChangeLog21
-rw-r--r--INSTALL12
-rw-r--r--NEWS9
-rw-r--r--config.h.in3
-rw-r--r--config.make.in1
-rwxr-xr-xconfigure16
-rw-r--r--configure.in10
-rw-r--r--login/Makefile8
-rw-r--r--manual/install.texi14
-rw-r--r--sysdeps/unix/grantpt.c8
-rw-r--r--sysdeps/unix/sysv/linux/grantpt.c5
11 files changed, 100 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index e709aca1a1..49c346d20a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,24 @@
+2013-07-21 Siddhesh Poyarekar <siddhesh@redhat.com>
+ Andreas Schwab <schwab@suse.de>
+ Roland McGrath <roland@hack.frob.com>
+ Joseph Myers <joseph@codesourcery.com>
+ Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15755]
+ * config.h.in: Define HAVE_PT_CHOWN.
+ * config.make.in (build-pt-chown): New variable.
+ * configure.in (--enable-pt_chown): New configure option.
+ * configure: Regenerate.
+ * login/Makefile: Include Makeconfig. Build pt_chown only if
+ build-pt-chown is enabled.
+ * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
+ pt_chown to fix pty ownership.
+ * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
+ CLOSE_ALL_FDS.
+ * manual/install.texi (Configuring and compiling): Mention
+ --enable-pt_chown. Add @findex for grantpt.
+ * INSTALL: Regenerate.
+
2013-07-20 David S. Miller <davem@davemloft.net>
* sysdeps/sparc/fpu/libm-test-ulps: Update ULPs to handle minor
diff --git a/INSTALL b/INSTALL
index 721a7fc10c..2c61704b8f 100644
--- a/INSTALL
+++ b/INSTALL
@@ -136,6 +136,18 @@ will be used, and CFLAGS sets optimization options for the compiler.
`--enable-lock-elision=yes'
Enable lock elision for pthread mutexes by default.
+`--enable-pt_chown'
+ The file `pt_chown' is a helper binary for `grantpt' (*note
+ Pseudo-Terminals: Allocation.) that is installed setuid root to
+ fix up pseudo-terminal ownership. It is not built by default
+ because systems using the Linux kernel are commonly built with the
+ `devpts' filesystem enabled and mounted at `/dev/pts', which
+ manages pseudo-terminal ownership automatically. By using
+ `--enable-pt_chown', you may build `pt_chown' and install it
+ setuid and owned by `root'. The use of `pt_chown' introduces
+ additional security risks to the system and you should enable it
+ only if you understand and accept those risks.
+
`--build=BUILD-SYSTEM'
`--host=HOST-SYSTEM'
These options are for cross-compiling. If you specify both
diff --git a/NEWS b/NEWS
index c39157da61..4b2d5ca6d6 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,14 @@ Version 2.18
15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426,
15429, 15431, 15432, 15441, 15442, 15448, 15465, 15480, 15485, 15488,
15490, 15492, 15493, 15497, 15506, 15529, 15536, 15553, 15577, 15583,
- 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711.
+ 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711, 15755.
+
+* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
+ has been fixed by disabling the use of pt_chown (Bugzilla #15755).
+ Distributions can re-enable building and using pt_chown via the new configure
+ option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
+ considerable security risks and should only be used if the distribution
+ understands and accepts the risks.
* CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
#15078).
diff --git a/config.h.in b/config.h.in
index 6284e2a99b..a85f131255 100644
--- a/config.h.in
+++ b/config.h.in
@@ -238,4 +238,7 @@
/* The ARM hard-float ABI is being used. */
#undef HAVE_ARM_PCS_VFP
+/* The pt_chown binary is being built and used by grantpt. */
+#undef HAVE_PT_CHOWN
+
#endif
diff --git a/config.make.in b/config.make.in
index b01b70be2b..7b04568a22 100644
--- a/config.make.in
+++ b/config.make.in
@@ -95,6 +95,7 @@ link-obsolete-rpc = @link_obsolete_rpc@
build-nscd = @build_nscd@
use-nscd = @use_nscd@
build-hardcoded-path-in-tests= @hardcoded_path_in_tests@
+build-pt-chown = @build_pt_chown@
# Build tools.
CC = @CC@
diff --git a/configure b/configure
index 59a69f634f..1ee4c42003 100755
--- a/configure
+++ b/configure
@@ -647,6 +647,7 @@ multi_arch
base_machine
add_on_subdirs
add_ons
+build_pt_chown
build_nscd
link_obsolete_rpc
libc_cv_nss_crypt
@@ -756,6 +757,7 @@ enable_obsolete_rpc
enable_systemtap
enable_build_nscd
enable_nscd
+enable_pt_chown
with_cpu
'
ac_precious_vars='build_alias
@@ -1421,6 +1423,7 @@ Optional Features:
--enable-systemtap enable systemtap static probe points [default=no]
--disable-build-nscd disable building and installing the nscd daemon
--disable-nscd library functions will not contact the nscd daemon
+ --enable-pt_chown Enable building and installing pt_chown
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -3711,6 +3714,19 @@ else
fi
+# Check whether --enable-pt_chown was given.
+if test "${enable_pt_chown+set}" = set; then :
+ enableval=$enable_pt_chown; build_pt_chown=$enableval
+else
+ build_pt_chown=no
+fi
+
+
+if test $build_pt_chown = yes; then
+ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
+
+fi
+
# The way shlib-versions is used to generate soversions.mk uses a
# fairly simplistic model for name recognition that can't distinguish
# i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
diff --git a/configure.in b/configure.in
index 4db1acf115..769e8eff66 100644
--- a/configure.in
+++ b/configure.in
@@ -353,6 +353,16 @@ AC_ARG_ENABLE([nscd],
[use_nscd=$enableval],
[use_nscd=yes])
+AC_ARG_ENABLE([pt_chown],
+ [AS_HELP_STRING([--enable-pt_chown],
+ [Enable building and installing pt_chown])],
+ [build_pt_chown=$enableval],
+ [build_pt_chown=no])
+AC_SUBST(build_pt_chown)
+if test $build_pt_chown = yes; then
+ AC_DEFINE(HAVE_PT_CHOWN)
+fi
+
# The way shlib-versions is used to generate soversions.mk uses a
# fairly simplistic model for name recognition that can't distinguish
# i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
diff --git a/login/Makefile b/login/Makefile
index 0bfe643136..430c6d93d6 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -30,9 +30,15 @@ routines := getlogin getlogin_r setlogin getlogin_r_chk \
CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
-others = utmpdump pt_chown
+others = utmpdump
+
+include ../Makeconfig
+
+ifeq (yes,$(build-pt-chown))
+others += pt_chown
others-pie = pt_chown
install-others-programs = $(inst_libexecdir)/pt_chown
+endif
subdir-dirs = programs
vpath %.c programs
diff --git a/manual/install.texi b/manual/install.texi
index 0c05f51bbb..4575d22319 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -163,6 +163,20 @@ so that they can be invoked directly.
@item --enable-lock-elision=yes
Enable lock elision for pthread mutexes by default.
+@pindex pt_chown
+@findex grantpt
+@item --enable-pt_chown
+The file @file{pt_chown} is a helper binary for @code{grantpt}
+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
+fix up pseudo-terminal ownership. It is not built by default because
+systems using the Linux kernel are commonly built with the @code{devpts}
+filesystem enabled and mounted at @file{/dev/pts}, which manages
+pseudo-terminal ownership automatically. By using
+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
+setuid and owned by @code{root}. The use of @file{pt_chown} introduces
+additional security risks to the system and you should enable it only if
+you understand and accept those risks.
+
@item --build=@var{build-system}
@itemx --host=@var{host-system}
These options are for cross-compiling. If you specify both options and
diff --git a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c
index d37da13506..431be855a3 100644
--- a/sysdeps/unix/grantpt.c
+++ b/sysdeps/unix/grantpt.c
@@ -173,9 +173,10 @@ grantpt (int fd)
retval = 0;
goto cleanup;
- /* We have to use the helper program. */
+ /* We have to use the helper program if it is available. */
helper:;
+#ifdef HAVE_PT_CHOWN
pid_t pid = __fork ();
if (pid == -1)
goto cleanup;
@@ -190,9 +191,9 @@ grantpt (int fd)
if (__dup2 (fd, PTY_FILENO) < 0)
_exit (FAIL_EBADF);
-#ifdef CLOSE_ALL_FDS
+# ifdef CLOSE_ALL_FDS
CLOSE_ALL_FDS ();
-#endif
+# endif
execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
_exit (FAIL_EXEC);
@@ -231,6 +232,7 @@ grantpt (int fd)
assert(! "getpt: internal error: invalid exit code from pt_chown");
}
}
+#endif
cleanup:
if (buf != _buf)
diff --git a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c
index 0a3cd472fa..8cebde36ed 100644
--- a/sysdeps/unix/sysv/linux/grantpt.c
+++ b/sysdeps/unix/sysv/linux/grantpt.c
@@ -11,7 +11,7 @@
#include "pty-private.h"
-
+#if HAVE_PT_CHOWN
/* Close all file descriptors except the one specified. */
static void
close_all_fds (void)
@@ -38,6 +38,7 @@ close_all_fds (void)
__dup2 (STDOUT_FILENO, STDERR_FILENO);
}
}
-#define CLOSE_ALL_FDS() close_all_fds()
+# define CLOSE_ALL_FDS() close_all_fds()
+#endif
#include <sysdeps/unix/grantpt.c>