From owner-freebsd-security@FreeBSD.ORG Tue Oct 5 12:38:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C56316A4CE for ; Tue, 5 Oct 2004 12:38:19 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AA1643D31 for ; Tue, 5 Oct 2004 12:38:19 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 7F83954861; Tue, 5 Oct 2004 07:38:18 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 94713-08; Tue, 5 Oct 2004 07:38:07 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id D95B75485D; Tue, 5 Oct 2004 07:38:07 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id B62036D466; Tue, 5 Oct 2004 07:37:54 -0500 (CDT) Date: Tue, 5 Oct 2004 07:37:54 -0500 From: "Jacques A. Vidrine" To: Darren Pilgrim Message-ID: <20041005123754.GC12681@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Darren Pilgrim , freebsd-security@freebsd.org References: <200410042054.i94KsBD9021963@freefall.freebsd.org> <000601c4aa68$0034af70$162a15ac@spud> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000601c4aa68$0034af70$162a15ac@spud> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Oct 2004 12:38:19 -0000 Hi Darren, On Mon, Oct 04, 2004 at 04:15:07PM -0700, Darren Pilgrim wrote: > > FreeBSD-SA-04:15.syscons > <...> > > IV. Workaround > > > > There is no known workaround. However, this bug is only exploitable > > by users who have access to the physical console or can otherwise open > > a /dev/ttyv* device node. > > Is there anything in the base system that, by design or flaw, can be used by > a non-root user to open a ttyv device? Any user can open a ttyv device that she owns. But if you mean, "can be used by a non-root user to open a ttyv device not owned by that user?" : None of which I'm aware. > Is the tty snoop device vulnerable by proxy? No, it is not. The snp device does not "forward" ioctls. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org