CVE-2005-4890
Published: 04 November 2019
There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
Priority
Low
CVSS 3 base score: 7.8
Status
| Package | Release | Status |
|---|---|---|
|
shadow Launchpad, Ubuntu, Debian |
Upstream |
Released
(1:4.1.5-1)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(1:4.1.5.1-1ubuntu9)
|
|
|
sudo Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.8.2)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
|
|
|
Patches: Upstream: http://www.sudo.ws/repos/sudo/rev/aea971f1456a (pt1) Upstream: http://www.sudo.ws/repos/sudo/rev/e7b167f8a6e5 (pt2) Upstream: http://www.sudo.ws/repos/sudo/rev/26120a59c20e (pt3) Upstream: http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1 (pt4) |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | sudo is also apprently vulnerable to this, so the use_pty option was added. We need to verify versions, and make sure it is actually getting honored (apparently the option wasn't working: http://www.openwall.com/lists/oss-security/2011/06/22/4) |
| jdstrand | sudo in 12.04 and higher has the fix for use_pty. A small patch (http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1) can be used to enable it on Ubuntu 11.04 and 11.10. |
| mdeslaur | Please note that use_pty is not enabled by default in sudo, it must be specifically enabled. |
| seth-arnold | su interactive has the same problem, no fix known on 20130305 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4890
- http://www.openwall.com/lists/oss-security/2011/06/02/3
- http://www.openwall.com/lists/oss-security/2012/11/05/8
- http://www.ush.it/2009/01/06/25c3-ccc-congress-2008-tricks-makes-you-smile/
- http://www.redhat.com/archives/fedora-devel-list/2004-July/msg01314.html
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=262454
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
- https://bugzilla.redhat.com/show_bug.cgi?id=710208
- https://bugzilla.redhat.com/show_bug.cgi?id=173008
- https://bugzilla.redhat.com/show_bug.cgi?id=199066
- https://bugzilla.redhat.com/show_bug.cgi?id=479145
- http://www.sudo.ws/bugs/show_bug.cgi?id=142