wall(1) in all versions of util-linux since ~2013 until now ( does not filter escape sequences; this can be used to manipulate users with backspacing over prompts, etc. We only build wall(1) with USE=tty-helpers The example exploits require things like ps visibility (could be prevented by hidepid=) and leverage things like command-not-found wrappers (not used on Gentoo systems by default if at all?) or users using sudo. But probably more creative tactics could be used where those conditions aren't met. The advisory does not mention any communications with upstreams or distros. The CVE has been issued but isn't visible from NIST, MITRE, etc. I can find no public discussion in util-linux github, etc. However, Ubuntu apparently shipped a patch about an hour ago: https://launchpad.net/ubuntu/+source/util-linux/2.39.1-4ubuntu2.1 http://launchpadlibrarian.net/720653769/util-linux_2.39.1-4ubuntu2_2.39.1-4ubuntu2.1.diff.gz I have not tested that patch yet. It has not landed in https://github.com/util-linux/util-linux/blob/master/term-utils/wall.c
That fix has hit the stable/v2.40 branch: https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253 But neither master nor stable/v2.39 branches. Also, as soon as this got attention, more related issues have been pointed out: https://marc.info/?l=oss-security&m=171157493020922&w=4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5af27a0a2b08e0035abb6a7e080aaa27cf80ce63 commit 5af27a0a2b08e0035abb6a7e080aaa27cf80ce63 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-03-28 16:42:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-03-28 16:42:03 +0000 sys-apps/util-linux: backport fix for CVE-2024-28085 Bug: https://bugs.gentoo.org/927980 Signed-off-by: Sam James <sam@gentoo.org> .../files/util-linux-2.39.3-CVE-2024-28085.patch | 25 ++ sys-apps/util-linux/util-linux-2.39.3-r6.ebuild | 415 +++++++++++++++++++++ 2 files changed, 440 insertions(+)
(In reply to Hank Leininger from comment #0) > wall(1) in all versions of util-linux since ~2013 until now ( does not > filter escape sequences; this can be used to manipulate users with > backspacing over prompts, etc. We only build wall(1) with USE=tty-helpers > > The example exploits require things like ps visibility (could be prevented > by hidepid=) and leverage things like command-not-found wrappers (not used > on Gentoo systems by default if at all?) or users using sudo. But probably > more creative tactics could be used where those conditions aren't met. > > The advisory does not mention any communications with upstreams or distros. > The CVE has been issued but isn't visible from NIST, MITRE, etc. I can find > no public discussion in util-linux github, etc. Although not mentioned in the advisory, I did report the issue to distros openwall. Not sure if Gentoo is in that mailing list. Like you mentioned, my exploit requires certain conditions, but it is possible to use this bug without them. In terms of "could be prevented by hidepid", it may be possible to use atimes or side channels (flush+reload) to "know" when commands are executed. It is also possible to attack a user who does not have a "command-not-found" style wrapper. We could wait for a user to run a command like "cat ~/.ssh/id_rsa.pub", and overwrite their key in the terminal with our own. Command not found is just a very convenient way to leak information, and makes exploitation much more dangerous. That being said, I don't think this bug is that bad on Gentoo if you don't have a command not found handler. It would be quite difficult to exploit, and you would have to craft an attack against a particular users workflow.
