CVE-2005-4890

Published: 04 November 2019

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
shadow
Launchpad, Ubuntu, Debian
Upstream
Released (1:4.1.5-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(1:4.1.5.1-1ubuntu9)
sudo
Launchpad, Ubuntu, Debian
Upstream
Released (1.8.2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: http://www.sudo.ws/repos/sudo/rev/aea971f1456a (pt1)
Upstream: http://www.sudo.ws/repos/sudo/rev/e7b167f8a6e5 (pt2)
Upstream: http://www.sudo.ws/repos/sudo/rev/26120a59c20e (pt3)
Upstream: http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1 (pt4)

Notes

AuthorNote
mdeslaur
sudo is also apprently vulnerable to this, so the use_pty
option was added. We need to verify versions, and make sure
it is actually getting honored (apparently the option wasn't
working: http://www.openwall.com/lists/oss-security/2011/06/22/4)
jdstrand
sudo in 12.04 and higher has the fix for use_pty. A small patch
(http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1) can be used to enable it
on Ubuntu 11.04 and 11.10.
mdeslaur
Please note that use_pty is not enabled by default in sudo, it
must be specifically enabled.
seth-arnold
su interactive has the same problem, no fix known on 20130305

References

Bugs