Bugzilla – Bug 968675
VUL-0: CVE-2016-2781: coreutils: chroot hijacking via TIOCSTI ioctl
Last modified: 2018-10-04 22:55:01 UTC
http://seclists.org/oss-sec/2016/q1/452 When executing a program via "chroot --userspec=someuser:somegroup / /path/to/test" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer CVE-2016-2781 was assigned to this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781 http://seclists.org/oss-sec/2016/q1/452
Is it already known whether it is an issue of runuser or issue of chroot?
Confirmed: util-linux # cp -a test_tiocsti /openSUSE-root/ util-linux # chroot /openSUSE-root /test_tiocsti id -u -n util-linux # id -u -n root I see no runuser inside the strace, so chroot utility itself is affected. Reassigning. Please follow bug 968674 for the progress, as the attack vector is the same for all programs. The reproducer is attached there as well.
To make the reproducer clean, I changed "id -u -n" by "ls -al /". The inside-chroot injected command is confirmed as being called outside chroot.
According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 this is best fixed by the kernel disallowing the use of TIOCSTI to unprivileged users unless the caller has CAP_SYS_ADMIN. I'm therefore reassigning this bug.
still wont help, as we have callers being root in the above chroot case.
As discussed: Since root in chroot == root on the system this is not a security issue. Given the problematic solution for other cases where this indeed is a security problem and needs to be fixed we will not put out an update for this