Re: CVE-2024-28085: Escape sequence injection in util-linux wall

[Karel Zak <kzak () redhat com>]

On Thu, Mar 28, 2024 at 12:29:35AM +0100, Solar Designer wrote:
> > > ?? https://github.com/util-linux/util-linux/commit/404b0781f52f7c04
> > >   ("wall: fix escape sequence Injection [CVE-2024-28085]")
> >
> > Would enforcing UTF-8 validity (regardless of user locale) be a
> > solution?
>
> Not a complete solution. 

There is only one real solution: do not allow non-root users to write
to foreign file descriptors. Do not install wall(1) with suid. That's
all.

For now, it is enabled by default in the upstream tree, but I will
disable it in the next releases and explicit --enable-* will be
required. We also need to add more information to the man pages.

    Karel

I'm currently not aware of a safe way to allow
> multi-byte characters coming from concurrent writers, see:
>
> https://www.openwall.com/lists/oss-security/2015/09/20/1
>
> and the next message in that thread.
>
> In fact, even plain ASCII isn't entirely safe if it just happens to be
> injected into the middle of a control sequence that the target user's
> program was printing, thereby altering its effect.
>
> That said, perhaps write(1)/wall(1) just shouldn't allow bytes from both
> C0 and C1 ranges (except for TAB, LF, space) regardless of locale
> settings, at least when the programs are running SUID/SGID.  That is,
> unless the invoking user - which in this case is likely root - could
> have directly written to the target user's tty anyway.  In other words,
> mostly revert those offending commits.  Or just revert them completely.
>
> Alexander

-- 
 Karel Zak  <kzak () redhat com>
 http://karelzak.blogspot.com