Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: CVE request: tmux local denial of service (2009)
From: Guido Berhoerster <guido+openwall.com () berhoerster name>
Date: Thu, 9 Jan 2014 20:51:15 +0100

* Florian Weimer <fweimer () redhat com> [2014-01-09 20:06]:
On 01/09/2014 07:44 PM, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

allows users to override the socket path using the -S command line option.

We'd like to consider this ineligible for a CVE unless there's new
information. In many cases, "ability to cause an inconvenience" is not
sufficient for a CVE assignment. The nature of the application
apparently makes it unlikely that this would, for example, disrupt
unattended root-executed scripts that have a hardcoded tmux command
line.

I reported this here because tmux is sometimes used to start servers
on system boot:

http://unix.stackexchange.com/questions/71372/using-tmux-on-boot-up-of-linux-centos
http://askubuntu.com/questions/62434/why-does-upstart-keep-respawning-my-process
https://bowerstudios.com/node/953
http://code.google.com/p/webrtc2sip/issues/detail?id=80

In that case the right thing to do is setting TMPDIR to a
directory only writable by the user (TMPDIR/-S/-L are documented
in the manpage so this can hardly count as suprising to users).
The development version also supports TMUX_TMPDIR in which
sockets are created without a subdirectory and which e.g. may be
set to XDG_RUNTIME_DIR.
The Debian patch makes tmux potentially less secure due to being
setgid and it was rejected by upstream, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529082#12
In 2011 Debian reverted to the upstream behavior and no longer
carries the patch referenced in the above bug report.
-- 
Guido Berhoerster


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault