Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488084 (CVE-2013-2207) - <sys-libs/glibc-2.16.0: pt_chown priv escalation (CVE-2013-2207)
Summary: <sys-libs/glibc-2.16.0: pt_chown priv escalation (CVE-2013-2207)
Status: RESOLVED FIXED
Alias: CVE-2013-2207
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-15 03:27 UTC by GLSAMaker/CVETool Bot
Modified: 2015-03-08 14:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-15 03:27:24 UTC
CVE-2013-2207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2207):
  pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly
  check permissions for tty files, which allows local users to change the
  permission on the files and obtain access to arbitrary pseudo-terminals by
  leveraging a FUSE file system.


https://sourceware.org/bugzilla/show_bug.cgi?id=15755

Any chance of a backport?
Comment 1 SpanKY gentoo-dev 2013-10-15 16:28:33 UTC
this is largely a non-issue for us.  i disabled the suid in glibc starting in the 2.16.0 release.
Comment 2 SpanKY gentoo-dev 2014-02-18 19:25:40 UTC
glibc-2.17 is stable now too
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-06-16 03:19:59 UTC
Added to an existing GLSA request.

But we need to do something about cleaning up the tree... glibc goes back to version 2.10.1-r1 clearly vulnerable.

Any recommendations?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 02:32:13 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:18 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).