Your submission was sent successfully! Close

CVE-2005-4890

Published: 4 November 2019

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

Notes

AuthorNote
mdeslaur
sudo is also apprently vulnerable to this, so the use_pty
option was added. We need to verify versions, and make sure
it is actually getting honored (apparently the option wasn't
working: http://www.openwall.com/lists/oss-security/2011/06/22/4)
jdstrand
sudo in 12.04 and higher has the fix for use_pty. A small patch
(http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1) can be used to enable it
on Ubuntu 11.04 and 11.10.
mdeslaur
Please note that use_pty is not enabled by default in sudo, it
must be specifically enabled.
seth-arnold
su interactive has the same problem, no fix known on 20130305
Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
shadow
Launchpad, Ubuntu, Debian
artful Not vulnerable

bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

eoan Not vulnerable

focal Not vulnerable

groovy Not vulnerable

hardy Ignored
(reached end-of-life)
hirsute Not vulnerable

lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise Ignored
(end of ESM support, was needed)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Not vulnerable
(1:4.1.5.1-1ubuntu9)
upstream
Released (1:4.1.5-1)
utopic Not vulnerable

vivid Not vulnerable

wily Not vulnerable

xenial Not vulnerable

yakkety Not vulnerable

zesty Not vulnerable

sudo
Launchpad, Ubuntu, Debian
artful Not vulnerable

bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

eoan Not vulnerable

focal Not vulnerable

groovy Not vulnerable

hardy Ignored
(reached end-of-life)
hirsute Not vulnerable

lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise Not vulnerable
(1.8.3p2-1ubuntu2)
quantal Not vulnerable

raring Not vulnerable

saucy Not vulnerable

trusty Not vulnerable

upstream
Released (1.8.2)
utopic Not vulnerable

vivid Not vulnerable

wily Not vulnerable

xenial Not vulnerable

yakkety Not vulnerable

zesty Not vulnerable

Patches:
upstream: http://www.sudo.ws/repos/sudo/rev/aea971f1456a (pt1)
upstream: http://www.sudo.ws/repos/sudo/rev/e7b167f8a6e5 (pt2)
upstream: http://www.sudo.ws/repos/sudo/rev/26120a59c20e (pt3)
upstream: http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1 (pt4)