Alpaquita Linux
Security Advisory

CVE-2016-2781

Published: February 7, 2017Last modified: February 15, 2024

Description

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Severity score breakdown

ParameterValue
Base score6.5
Attack VectorLOCAL
Attack complexityLOW
Privileges requiredLOW
User interactionNONE
ScopeCHANGED
ConfidentialityNONE
Integrity impactHIGH
Availability impactNONE
VectorCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Notes

The fix reverted in coreutils http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=f5d7c0842ef7adc2be6e85f9ef66b35ebbbd6a61, with the following statement: "This reverts commit v8.27-97-g8cb06d4 because the setsid() fallback was not implemented correctly and disabling the ioctl was not a complete solution to the security issue of the child being passed the tty of the parent. Given runcon is not really a sandbox command, the advice is to use `runcon ... setsid ...` to avoid this particular issue."

Status

ProductReleasePackageStatus
Alpaquita LinuxStreamcoreutilsWill not fix (9.1-r0)

References

ON THIS PAGE