Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 488084 (CVE-2013-2207)

Summary: <sys-libs/glibc-2.16.0: pt_chown priv escalation (CVE-2013-2207)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://sourceware.org/bugzilla/show_bug.cgi?id=15755
Whiteboard: A1 [glsa cleanup]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-15 03:27:24 UTC 
CVE-2013-2207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2207):
  pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly
  check permissions for tty files, which allows local users to change the
  permission on the files and obtain access to arbitrary pseudo-terminals by
  leveraging a FUSE file system.


https://sourceware.org/bugzilla/show_bug.cgi?id=15755

Any chance of a backport?
Comment 1 SpanKY gentoo-dev 2013-10-15 16:28:33 UTC 
this is largely a non-issue for us.  i disabled the suid in glibc starting in the 2.16.0 release.
Comment 2 SpanKY gentoo-dev 2014-02-18 19:25:40 UTC 
glibc-2.17 is stable now too
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 03:19:59 UTC 
Added to an existing GLSA request.

But we need to do something about cleaning up the tree... glibc goes back to version 2.10.1-r1 clearly vulnerable.

Any recommendations?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 02:32:13 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:18 UTC 
This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).