There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via “su - user -c program”. The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | shadow | < 1:4.1.5-1 | shadow_1:4.1.5-1_all.deb |
Debian | 11 | all | shadow | < 1:4.1.5-1 | shadow_1:4.1.5-1_all.deb |
Debian | 10 | all | shadow | < 1:4.1.5-1 | shadow_1:4.1.5-1_all.deb |
Debian | 999 | all | shadow | < 1:4.1.5-1 | shadow_1:4.1.5-1_all.deb |
Debian | 13 | all | shadow | < 1:4.1.5-1 | shadow_1:4.1.5-1_all.deb |
Debian | 12 | all | sudo | < 1.7.4p4 | sudo_1.7.4p4_all.deb |
Debian | 11 | all | sudo | < 1.7.4p4 | sudo_1.7.4p4_all.deb |
Debian | 10 | all | sudo | < 1.7.4p4 | sudo_1.7.4p4_all.deb |
Debian | 999 | all | sudo | < 1.7.4p4 | sudo_1.7.4p4_all.deb |
Debian | 13 | all | sudo | < 1.7.4p4 | sudo_1.7.4p4_all.deb |