Paul Szabo <psz (at) maths.usyd.edu (dot) au [email concealed]>:
gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. ...
...
I do not know any root escalation methods. ... cannot think of any
"important" uses of utmp/wtmp files. ...
Steve Langasek, Debian Developer:
Hmm... After rereading the definition at
<http://www.debian.org/Bugs/Developer#severities>, I guess there's no
reason for this bug to not fall under the description of 'critical',
since the security hole is present just from the installation of the
package.
Lo=EFc Minier:
This vulnerability is identified as CAN-2005-0023. The upstream
developers of vte have been notified of the bug at:
<http://bugzilla.gnome.org/show_bug.cgi?id=317312>
Martin Schulze (Joey):
being able to write arbitrary strings into valid records without
overwriting any other data in utmp/wtmp can hardly be classified
as a security vulnerability.
...
Ok, so unless somebody proves us wrong we don't consider this a
security problem.
Cheers,
Paul Szabo psz (at) maths.usyd.edu (dot) au [email concealed] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
http://bugs.debian.org/329156
Extracts from above:
Paul Szabo <psz (at) maths.usyd.edu (dot) au [email concealed]>:
gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. ...
...
I do not know any root escalation methods. ... cannot think of any
"important" uses of utmp/wtmp files. ...
Steve Langasek, Debian Developer:
Hmm... After rereading the definition at
<http://www.debian.org/Bugs/Developer#severities>, I guess there's no
reason for this bug to not fall under the description of 'critical',
since the security hole is present just from the installation of the
package.
Lo=EFc Minier:
This vulnerability is identified as CAN-2005-0023. The upstream
developers of vte have been notified of the bug at:
<http://bugzilla.gnome.org/show_bug.cgi?id=317312>
Martin Schulze (Joey):
being able to write arbitrary strings into valid records without
overwriting any other data in utmp/wtmp can hardly be classified
as a security vulnerability.
...
Ok, so unless somebody proves us wrong we don't consider this a
security problem.
Cheers,
Paul Szabo psz (at) maths.usyd.edu (dot) au [email concealed] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
[ reply ]