[40673] in bugtraq
gnome-pty-helper writes arbitrary utmp records
daemon@ATHENA.MIT.EDU (Paul Szabo)
Sat Oct 8 14:21:37 2005
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Sat, 8 Oct 2005 07:29:23 +1000
Message-Id: <200510072129.j97LTN82011208@pisa.maths.usyd.edu.au>
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
For full details please see
http://bugs.debian.org/329156
Extracts from above:
Paul Szabo <psz@maths.usyd.edu.au>:
gnome-pty-helper can be made to write utmp/wtmp records with arbitrary
DISPLAY (host) settings. ...
...
I do not know any root escalation methods. ... cannot think of any
"important" uses of utmp/wtmp files. ...
Steve Langasek, Debian Developer:
Hmm... After rereading the definition at
<http://www.debian.org/Bugs/Developer#severities>, I guess there's no
reason for this bug to not fall under the description of 'critical',
since the security hole is present just from the installation of the
package.
Lo=EFc Minier:
This vulnerability is identified as CAN-2005-0023. The upstream
developers of vte have been notified of the bug at:
<http://bugzilla.gnome.org/show_bug.cgi?id=317312>
Martin Schulze (Joey):
being able to write arbitrary strings into valid records without
overwriting any other data in utmp/wtmp can hardly be classified
as a security vulnerability.
...
Ok, so unless somebody proves us wrong we don't consider this a
security problem.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
