From: Carlos O'Donell Date: Fri, 19 Jul 2013 06:42:03 +0000 (-0400) Subject: CVE-2013-2207, BZ #15755: Disable pt_chown. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7e0492e183efc24e5658c860ca5711e00524dd7;p=thirdparty%2Fglibc.git CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. Cherry-pick of e4608715e6e1dd2adc91982fd151d5ba4f761d69. --- diff --git a/ChangeLog b/ChangeLog index ca203b49822..26e3868815a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +2013-07-21 Siddhesh Poyarekar + Andreas Schwab + Roland McGrath + Joseph Myers + Carlos O'Donell + + [BZ #15755] + * config.h.in: Define HAVE_PT_CHOWN. + * config.make.in (build-pt-chown): New variable. + * configure.in (--enable-pt_chown): New configure option. + * configure: Regenerate. + * login/Makefile: Include Makeconfig. Build pt_chown only if + build-pt-chown is enabled. + * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn + pt_chown to fix pty ownership. + * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define + CLOSE_ALL_FDS. + * manual/install.texi (Configuring and compiling): Mention + --enable-pt_chown. Add @findex for grantpt. + * INSTALL: Regenerate. + 2012-11-28 Jeff Law Martin Osvald diff --git a/INSTALL b/INSTALL index d4fabe96c75..2f83f2a0d44 100644 --- a/INSTALL +++ b/INSTALL @@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimization options for the compiler. this can be prevented though there generally is no reason since it creates compatibility problems. +`--enable-pt_chown' + The file `pt_chown' is a helper binary for `grantpt' (*note + Pseudo-Terminals: Allocation.) that is installed setuid root to + fix up pseudo-terminal ownership. It is not built by default + because systems using the Linux kernel are commonly built with the + `devpts' filesystem enabled and mounted at `/dev/pts', which + manages pseudo-terminal ownership automatically. By using + `--enable-pt_chown', you may build `pt_chown' and install it + setuid and owned by `root'. The use of `pt_chown' introduces + additional security risks to the system and you should enable it + only if you understand and accept those risks. + `--build=BUILD-SYSTEM' `--host=HOST-SYSTEM' These options are for cross-compiling. If you specify both diff --git a/NEWS b/NEWS index cab722b6e1f..bbcb0248165 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,14 @@ Version 2.16.1 * The following bugs are resolved with this release: - 6530, 14195, 14459, 14476, 14562, 14621, 14648, 14756, 14831 + 6530, 14195, 14459, 14476, 14562, 14621, 14648, 14756, 14831, 15755. + +* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal + has been fixed by disabling the use of pt_chown (Bugzilla #15755). + Distributions can re-enable building and using pt_chown via the new configure + option `--enable-pt_chown'. Enabling the use of pt_chown carries with it + considerable security risks and should only be used if the distribution + understands and accepts the risks. * CVE-2011-4609 svc_run() produces high cpu usage when accept fails with EMFILE has been fixed (Bugzilla #14889). diff --git a/config.h.in b/config.h.in index dd184b0cf47..8a78e84332e 100644 --- a/config.h.in +++ b/config.h.in @@ -228,4 +228,7 @@ /* The ARM hard-float ABI is being used. */ #undef HAVE_ARM_PCS_VFP +/* The pt_chown binary is being built and used by grantpt. */ +#undef HAVE_PT_CHOWN + #endif diff --git a/config.make.in b/config.make.in index 65410abe1b9..ce5a60ed3c5 100644 --- a/config.make.in +++ b/config.make.in @@ -99,6 +99,7 @@ sysdeps-add-ons = @sysdeps_add_ons@ cross-compiling = @cross_compiling@ force-install = @force_install@ link-obsolete-rpc = @link_obsolete_rpc@ +build-pt-chown = @build_pt_chown@ # Build tools. CC = @CC@ diff --git a/configure b/configure index aa7869ff178..d25e2e6cab1 100755 --- a/configure +++ b/configure @@ -654,6 +654,7 @@ multi_arch base_machine add_on_subdirs add_ons +build_pt_chown link_obsolete_rpc libc_cv_nss_crypt all_warnings @@ -749,6 +750,7 @@ enable_multi_arch enable_nss_crypt enable_obsolete_rpc enable_systemtap +enable_pt_chown with_cpu ' ac_precious_vars='build_alias @@ -1407,6 +1409,7 @@ Optional Features: --enable-obsolete-rpc build and install the obsolete RPC code for link-time usage --enable-systemtap enable systemtap static probe points [default=no] + --enable-pt_chown Enable building and installing pt_chown Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3751,6 +3754,21 @@ See \`config.log' for more details" "$LINENO" 5; } fi fi + + +# Check whether --enable-pt_chown was given. +if test "${enable_pt_chown+set}" = set; then : + enableval=$enable_pt_chown; build_pt_chown=$enableval +else + build_pt_chown=no +fi + + +if test $build_pt_chown = yes; then + $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h + +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os diff --git a/configure.in b/configure.in index 5028e6411e4..7bac2f75ace 100644 --- a/configure.in +++ b/configure.in @@ -292,6 +292,16 @@ void foo (int i, void *p) fi fi +AC_ARG_ENABLE([pt_chown], + [AS_HELP_STRING([--enable-pt_chown], + [Enable building and installing pt_chown])], + [build_pt_chown=$enableval], + [build_pt_chown=no]) +AC_SUBST(build_pt_chown) +if test $build_pt_chown = yes; then + AC_DEFINE(HAVE_PT_CHOWN) +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os diff --git a/login/Makefile b/login/Makefile index 9b6d2bb78c7..4ec17db2f0d 100644 --- a/login/Makefile +++ b/login/Makefile @@ -29,9 +29,15 @@ routines := getutent getutent_r getutid getutline getutid_r getutline_r \ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' -others = utmpdump pt_chown +others = utmpdump + +include ../Makeconfig + +ifeq (yes,$(build-pt-chown)) +others += pt_chown others-pie = pt_chown install-others-programs = $(inst_libexecdir)/pt_chown +endif subdir-dirs = programs vpath %.c programs diff --git a/manual/install.texi b/manual/install.texi index 5aca058653b..66a34e0cfc3 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -154,6 +154,20 @@ if the used tools support it. By using @samp{--without-tls} this can be prevented though there generally is no reason since it creates compatibility problems. +@pindex pt_chown +@findex grantpt +@item --enable-pt_chown +The file @file{pt_chown} is a helper binary for @code{grantpt} +(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to +fix up pseudo-terminal ownership. It is not built by default because +systems using the Linux kernel are commonly built with the @code{devpts} +filesystem enabled and mounted at @file{/dev/pts}, which manages +pseudo-terminal ownership automatically. By using +@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it +setuid and owned by @code{root}. The use of @file{pt_chown} introduces +additional security risks to the system and you should enable it only if +you understand and accept those risks. + @item --build=@var{build-system} @itemx --host=@var{host-system} These options are for cross-compiling. If you specify both options and diff --git a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c index 06c35e7464d..66ff3d9f41a 100644 --- a/sysdeps/unix/grantpt.c +++ b/sysdeps/unix/grantpt.c @@ -173,9 +173,10 @@ grantpt (int fd) retval = 0; goto cleanup; - /* We have to use the helper program. */ + /* We have to use the helper program if it is available. */ helper:; +#ifdef HAVE_PT_CHOWN pid_t pid = __fork (); if (pid == -1) goto cleanup; @@ -190,9 +191,9 @@ grantpt (int fd) if (__dup2 (fd, PTY_FILENO) < 0) _exit (FAIL_EBADF); -#ifdef CLOSE_ALL_FDS +# ifdef CLOSE_ALL_FDS CLOSE_ALL_FDS (); -#endif +# endif execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); _exit (FAIL_EXEC); @@ -231,6 +232,7 @@ grantpt (int fd) assert(! "getpt: internal error: invalid exit code from pt_chown"); } } +#endif cleanup: if (buf != _buf) diff --git a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c index 0a3cd472fa2..8cebde36ed0 100644 --- a/sysdeps/unix/sysv/linux/grantpt.c +++ b/sysdeps/unix/sysv/linux/grantpt.c @@ -11,7 +11,7 @@ #include "pty-private.h" - +#if HAVE_PT_CHOWN /* Close all file descriptors except the one specified. */ static void close_all_fds (void) @@ -38,6 +38,7 @@ close_all_fds (void) __dup2 (STDOUT_FILENO, STDERR_FILENO); } } -#define CLOSE_ALL_FDS() close_all_fds() +# define CLOSE_ALL_FDS() close_all_fds() +#endif #include