1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
|
From 5d96012d9978efe4bad88a38e2efcbeada9f7585 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Thu, 22 Aug 2013
Subject: CVE-2013-2207, BZ #15755: Disable pt_chown.
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable the use of pt_chown but distributions do so at their own
risk.
---
This patch was adapted for glibc 2.17 point release from:
http://sourceware.org/git/?p=glibc.git;a=commit;h=e4608715e6e1
---
INSTALL | 12 ++++++++++++
config.h.in | 3 +++
config.make.in | 1 +
configure | 15 +++++++++++++++
configure.in | 10 ++++++++++
login/Makefile | 8 +++++++-
manual/install.texi | 14 ++++++++++++++
sysdeps/unix/grantpt.c | 8 +++++---
sysdeps/unix/sysv/linux/grantpt.c | 5 +++--
9 files changed, 70 insertions(+), 6 deletions(-)
---
--- a/INSTALL
+++ b/INSTALL
@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati
this can be prevented though there generally is no reason since it
creates compatibility problems.
+`--enable-pt_chown'
+ The file `pt_chown' is a helper binary for `grantpt' (*note
+ Pseudo-Terminals: Allocation.) that is installed setuid root to
+ fix up pseudo-terminal ownership. It is not built by default
+ because systems using the Linux kernel are commonly built with the
+ `devpts' filesystem enabled and mounted at `/dev/pts', which
+ manages pseudo-terminal ownership automatically. By using
+ `--enable-pt_chown', you may build `pt_chown' and install it
+ setuid and owned by `root'. The use of `pt_chown' introduces
+ additional security risks to the system and you should enable it
+ only if you understand and accept those risks.
+
`--build=BUILD-SYSTEM'
`--host=HOST-SYSTEM'
These options are for cross-compiling. If you specify both
--- a/config.h.in
+++ b/config.h.in
@@ -232,4 +232,7 @@
/* The ARM hard-float ABI is being used. */
#undef HAVE_ARM_PCS_VFP
+/* The pt_chown binary is being built and used by grantpt. */
+#undef HAVE_PT_CHOWN
+
#endif
--- a/config.make.in
+++ b/config.make.in
@@ -101,6 +101,7 @@ force-install = @force_install@
link-obsolete-rpc = @link_obsolete_rpc@
build-nscd = @build_nscd@
use-nscd = @use_nscd@
+build-pt-chown = @build_pt_chown@
# Build tools.
CC = @CC@
--- a/configure
+++ b/configure
@@ -653,6 +653,7 @@ multi_arch
base_machine
add_on_subdirs
add_ons
+build_pt_chown
build_nscd
link_obsolete_rpc
libc_cv_nss_crypt
@@ -759,6 +760,7 @@ enable_obsolete_rpc
enable_systemtap
enable_build_nscd
enable_nscd
+enable_pt_chown
with_cpu
'
ac_precious_vars='build_alias
@@ -1419,6 +1421,7 @@ Optional Features:
--enable-systemtap enable systemtap static probe points [default=no]
--disable-build-nscd disable building and installing the nscd daemon
--disable-nscd library functions will not contact the nscd daemon
+ --enable-pt_chown Enable building and installing pt_chown
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -3933,6 +3936,18 @@ else
use_nscd=yes
fi
+# Check whether --enable-pt_chown was given.
+if test "${enable_pt_chown+set}" = set; then :
+ enableval=$enable_pt_chown; build_pt_chown=$enableval
+else
+ build_pt_chown=no
+fi
+
+
+if test $build_pt_chown = yes; then
+ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
+
+fi
# The way shlib-versions is used to generate soversions.mk uses a
# fairly simplistic model for name recognition that can't distinguish
--- a/configure.in
+++ b/configure.in
@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd],
[use_nscd=$enableval],
[use_nscd=yes])
+AC_ARG_ENABLE([pt_chown],
+ [AS_HELP_STRING([--enable-pt_chown],
+ [Enable building and installing pt_chown])],
+ [build_pt_chown=$enableval],
+ [build_pt_chown=no])
+AC_SUBST(build_pt_chown)
+if test $build_pt_chown = yes; then
+ AC_DEFINE(HAVE_PT_CHOWN)
+fi
+
# The way shlib-versions is used to generate soversions.mk uses a
# fairly simplistic model for name recognition that can't distinguish
# i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
--- a/login/Makefile
+++ b/login/Makefile
@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid
CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
-others = utmpdump pt_chown
+others = utmpdump
+
+include ../Makeconfig
+
+ifeq (yes,$(build-pt-chown))
+others += pt_chown
others-pie = pt_chown
install-others-programs = $(inst_libexecdir)/pt_chown
+endif
subdir-dirs = programs
vpath %.c programs
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -155,6 +155,20 @@ if the used tools support it. By using
prevented though there generally is no reason since it creates
compatibility problems.
+@pindex pt_chown
+@findex grantpt
+@item --enable-pt_chown
+The file @file{pt_chown} is a helper binary for @code{grantpt}
+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
+fix up pseudo-terminal ownership. It is not built by default because
+systems using the Linux kernel are commonly built with the @code{devpts}
+filesystem enabled and mounted at @file{/dev/pts}, which manages
+pseudo-terminal ownership automatically. By using
+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
+setuid and owned by @code{root}. The use of @file{pt_chown} introduces
+additional security risks to the system and you should enable it only if
+you understand and accept those risks.
+
@item --build=@var{build-system}
@itemx --host=@var{host-system}
These options are for cross-compiling. If you specify both options and
--- a/sysdeps/unix/grantpt.c
+++ b/sysdeps/unix/grantpt.c
@@ -173,9 +173,10 @@ grantpt (int fd)
retval = 0;
goto cleanup;
- /* We have to use the helper program. */
+ /* We have to use the helper program if it is available.. */
helper:;
+#ifdef HAVE_PT_CHOWN
pid_t pid = __fork ();
if (pid == -1)
goto cleanup;
@@ -190,9 +191,9 @@ grantpt (int fd)
if (__dup2 (fd, PTY_FILENO) < 0)
_exit (FAIL_EBADF);
-#ifdef CLOSE_ALL_FDS
+# ifdef CLOSE_ALL_FDS
CLOSE_ALL_FDS ();
-#endif
+# endif
execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
_exit (FAIL_EXEC);
@@ -231,6 +232,7 @@ grantpt (int fd)
assert(! "getpt: internal error: invalid exit code from pt_chown");
}
}
+#endif
cleanup:
if (buf != _buf)
--- a/sysdeps/unix/sysv/linux/grantpt.c
+++ b/sysdeps/unix/sysv/linux/grantpt.c
@@ -11,7 +11,7 @@
#include "pty-private.h"
-
+#if HAVE_PT_CHOWN
/* Close all file descriptors except the one specified. */
static void
close_all_fds (void)
@@ -38,6 +38,7 @@ close_all_fds (void)
__dup2 (STDOUT_FILENO, STDERR_FILENO);
}
}
-#define CLOSE_ALL_FDS() close_all_fds()
+# define CLOSE_ALL_FDS() close_all_fds()
+#endif
#include <sysdeps/unix/grantpt.c>
|