Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 371581

Summary: app-misc/tmux: -S utpm Privilege Escalation (CVE-2011-1496)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: idl0r, shell-tools, wired
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-14 09:42:54 UTC 
CVE-2011-1496 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1496):
  tmux 1.3 and 1.4 does not properly drop group privileges, which allows local
  users to gain utmp group privileges via a filename to the -S command-line
  option.
Comment 1 Alex Alexander (RETIRED) gentoo-dev 2011-06-30 16:50:35 UTC 
Unless I'm missing something, we're not affected by this, because in Gentoo tmux runs under the user's group, not utmp.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-07-03 17:29:38 UTC 
(In reply to comment #1)
> Unless I'm missing something, we're not affected by this, because in Gentoo
> tmux runs under the user's group, not utmp.

Thanks, Alex. Verified locally using tmux-1.4. Closing as INVALID.