1
PublicDateAtUSN: 2013-10-09
2
Candidate: CVE-2013-2207
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2207
6
https://usn.ubuntu.com/usn/usn-2985-1
8
pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not
9
properly check permissions for tty files, which allows local users to
10
change the permission on the files and obtain access to arbitrary
11
pseudo-terminals by leveraging a FUSE file system.
13
Martin Carpenter discovered that pt_chown in the GNU C Library
14
did not properly check permissions for tty files. A local attacker
15
could use this to gain administrative privileges or expose sensitive
18
mdeslaur> patch disables building of pt_chown
19
mdeslaur> We can't just remove pt_chown from older releases, as
20
mdeslaur> unfortunately a lot of stuff still needs it, like lxc for
21
mdeslaur> example. We'll need to identify them first and fix them at the
24
mdeslaur> While this CVE was originally marked as fixed in 2.17-93ubuntu2,
25
mdeslaur> it got reverted in 2.17-93ubuntu4.
27
http://sourceware.org/bugzilla/show_bug.cgi?id=15755
28
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717544
29
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2207
31
Discovered-by: Martin Carpenter
35
upstream: http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=e4608715e6e1dd2adc91982fd151d5ba4f761d69
36
upstream_eglibc: needs-triage
37
precise_eglibc: released (2.15-0ubuntu10.14)
38
precise/esm_eglibc: released (2.15-0ubuntu10.14)
39
trusty_eglibc: released (2.19-0ubuntu6.8)
41
vivid/stable-phone-overlay_eglibc: DNE
42
vivid/ubuntu-core_eglibc: DNE
50
upstream_glibc: needed
52
precise/esm_glibc: DNE
54
vivid_glibc: ignored (reached end-of-life)
55
vivid/stable-phone-overlay_glibc: ignored (reached end-of-life)
56
vivid/ubuntu-core_glibc: released (2.21-0ubuntu4.0.7)
57
wily_glibc: released (2.21-0ubuntu4.2)
58
xenial_glibc: not-affected (2.23-0ubuntu1)
59
yakkety_glibc: not-affected (2.23-0ubuntu1)
60
zesty_glibc: not-affected (2.23-0ubuntu1)
61
devel_glibc: not-affected (2.23-0ubuntu1)