This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: "Joseph S. Myers" <joseph at codesourcery dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, David Miller <davem at davemloft dot net>, Roland McGrath <roland at hack dot frob dot com>, Andreas Schwab <schwab at suse dot de>, Andreas Jaeger <aj at suse dot com>, Ryan Arnold <rsa at us dot ibm dot com>, Alexandre Oliva <aoliva at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>
- Date: Sun, 21 Jul 2013 13:44:15 -0400
- Subject: Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal
- References: <51E8D4C1 dot 9000705 at redhat dot com> <Pine dot LNX dot 4 dot 64 dot 1307191640360 dot 9428 at digraph dot polyomino dot org dot uk>
On 07/19/2013 12:41 PM, Joseph S. Myers wrote:
> On Fri, 19 Jul 2013, Carlos O'Donell wrote:
>
>> NEWS
>>
>> * CVE-2013-2207 Granting access to another user's pseudo-terminal
>> has been fixed by disabling pt_chown (Bugzilla #15755).
>
> I think the NEWS entry should refer to the new configure option as well.
>
I've checked in the fix and the following NEWS entry:
* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
has been fixed by disabling the use of pt_chown (Bugzilla #15755).
Distributions can re-enable building and using pt_chown via the new configure
option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
considerable security risks and should only be used if the distribution
understands and accepts the risks.
Cheers,
Carlos.