<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2024-28085: Escape sequence injection in util-linux wall
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Karel Zak <kzak () redhat com>
Date: Thu, 28 Mar 2024 10:10:27 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Thu, Mar 28, 2024 at 12:29:35AM +0100, Solar Designer wrote:
?? https://github.com/util-linux/util-linux/commit/404b0781f52f7c04
("wall: fix escape sequence Injection [CVE-2024-28085]")
Would enforcing UTF-8 validity (regardless of user locale) be a
solution?
Not a complete solution.
There is only one real solution: do not allow non-root users to write
to foreign file descriptors. Do not install wall(1) with suid. That's
all.
For now, it is enabled by default in the upstream tree, but I will
disable it in the next releases and explicit --enable-* will be
required. We also need to add more information to the man pages.
Karel
I'm currently not aware of a safe way to allow
multi-byte characters coming from concurrent writers, see:
https://www.openwall.com/lists/oss-security/2015/09/20/1
and the next message in that thread.
In fact, even plain ASCII isn't entirely safe if it just happens to be
injected into the middle of a control sequence that the target user's
program was printing, thereby altering its effect.
That said, perhaps write(1)/wall(1) just shouldn't allow bytes from both
C0 and C1 ranges (except for TAB, LF, space) regardless of locale
settings, at least when the programs are running SUID/SGID. That is,
unless the invoking user - which in this case is likely root - could
have directly written to the target user's tty anyway. In other words,
mostly revert those offending commits. Or just revert them completely.
Alexander
--
Karel Zak <kzak () redhat com>
http://karelzak.blogspot.com
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2024-28085: Escape sequence injection in util-linux wall Skyler Ferrante (RIT Student) (Mar 27)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall nightmare . yeah27 (Mar 27)
Re: Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 28)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 27)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Demi Marie Obenour (Mar 27)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Solar Designer (Mar 27)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Karel Zak (Mar 28)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Alexander E. Patrakov (Mar 28)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->