CVE-2005-4890
Published: 4 November 2019
There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
Notes
Author | Note |
---|---|
mdeslaur | sudo is also apprently vulnerable to this, so the use_pty option was added. We need to verify versions, and make sure it is actually getting honored (apparently the option wasn't working: http://www.openwall.com/lists/oss-security/2011/06/22/4) |
jdstrand | sudo in 12.04 and higher has the fix for use_pty. A small patch (http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1) can be used to enable it on Ubuntu 11.04 and 11.10. |
mdeslaur | Please note that use_pty is not enabled by default in sudo, it must be specifically enabled. |
seth-arnold | su interactive has the same problem, no fix known on 20130305 |
Priority
CVSS 3 base score: 7.8
Status
Package | Release | Status |
---|---|---|
shadow Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
disco |
Not vulnerable
|
|
eoan |
Not vulnerable
|
|
focal |
Not vulnerable
|
|
groovy |
Not vulnerable
|
|
hardy |
Ignored
(reached end-of-life)
|
|
hirsute |
Not vulnerable
|
|
lucid |
Ignored
(reached end-of-life)
|
|
maverick |
Ignored
(reached end-of-life)
|
|
natty |
Ignored
(reached end-of-life)
|
|
oneiric |
Ignored
(reached end-of-life)
|
|
precise |
Ignored
(end of ESM support, was needed)
|
|
quantal |
Ignored
(reached end-of-life)
|
|
raring |
Ignored
(reached end-of-life)
|
|
saucy |
Ignored
(reached end-of-life)
|
|
trusty |
Not vulnerable
(1:4.1.5.1-1ubuntu9)
|
|
upstream |
Released
(1:4.1.5-1)
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
sudo Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
disco |
Not vulnerable
|
|
eoan |
Not vulnerable
|
|
focal |
Not vulnerable
|
|
groovy |
Not vulnerable
|
|
hardy |
Ignored
(reached end-of-life)
|
|
hirsute |
Not vulnerable
|
|
lucid |
Ignored
(reached end-of-life)
|
|
maverick |
Ignored
(reached end-of-life)
|
|
natty |
Ignored
(reached end-of-life)
|
|
oneiric |
Ignored
(reached end-of-life)
|
|
precise |
Not vulnerable
(1.8.3p2-1ubuntu2)
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
upstream |
Released
(1.8.2)
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
Patches: upstream: http://www.sudo.ws/repos/sudo/rev/aea971f1456a (pt1) upstream: http://www.sudo.ws/repos/sudo/rev/e7b167f8a6e5 (pt2) upstream: http://www.sudo.ws/repos/sudo/rev/26120a59c20e (pt3) upstream: http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1 (pt4) |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4890
- http://www.openwall.com/lists/oss-security/2011/06/02/3
- http://www.openwall.com/lists/oss-security/2012/11/05/8
- http://www.ush.it/2009/01/06/25c3-ccc-congress-2008-tricks-makes-you-smile/
- http://www.redhat.com/archives/fedora-devel-list/2004-July/msg01314.html
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=262454
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843 (shadow)
- https://bugzilla.redhat.com/show_bug.cgi?id=710208
- https://bugzilla.redhat.com/show_bug.cgi?id=173008
- https://bugzilla.redhat.com/show_bug.cgi?id=199066
- https://bugzilla.redhat.com/show_bug.cgi?id=479145
- http://www.sudo.ws/bugs/show_bug.cgi?id=142