[Full-disclosure] gnome-pty-helper writes arbitrary utmp records

From: Paul Szabo (psz_at_maths.usyd.edu.au)
Date: 10/07/05

  • Next message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:176 - Updated webmin package fixes authentication bypass vulnerability"
    Date: Sat, 8 Oct 2005 07:29:23 +1000
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    
    

    For full details please see

      http://bugs.debian.org/329156

    Extracts from above:

     Paul Szabo <psz@maths.usyd.edu.au>:
      gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
      DISPLAY (host) settings. ...
      ...
      I do not know any root escalation methods. ... cannot think of any
      "important" uses of utmp/wtmp files. ...

     Steve Langasek, Debian Developer:
      Hmm... After rereading the definition at
      <http://www.debian.org/Bugs/Developer#severities>, I guess there's no
      reason for this bug to not fall under the description of 'critical',
      since the security hole is present just from the installation of the
      package.

     Lo=EFc Minier:
      This vulnerability is identified as CAN-2005-0023. The upstream
      developers of vte have been notified of the bug at:
        <http://bugzilla.gnome.org/show_bug.cgi?id=317312>

     Martin Schulze (Joey):
      being able to write arbitrary strings into valid records without
      overwriting any other data in utmp/wtmp can hardly be classified
      as a security vulnerability.
      ...
      Ok, so unless somebody proves us wrong we don't consider this a
      security problem.

    Cheers,

    Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
    School of Mathematics and Statistics University of Sydney Australia
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:176 - Updated webmin package fixes authentication bypass vulnerability"