CVE-2013-2207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2207): pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system. https://sourceware.org/bugzilla/show_bug.cgi?id=15755 Any chance of a backport?
this is largely a non-issue for us. i disabled the suid in glibc starting in the 2.16.0 release.
glibc-2.17 is stable now too
Added to an existing GLSA request. But we need to do something about cleaning up the tree... glibc goes back to version 2.10.1-r1 clearly vulnerable. Any recommendations?
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).