CVE-2011-1496
published 2011-04-18CVE-2011-1496: tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option.
PriorityP423medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
0.95%
56.9th percentile
tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tmux | < tmux 1.4-6 (bookworm) | tmux 1.4-6 (bookworm) |
| nicholas_marriott | tmux | — | — |
| nicholas_marriott | tmux | — | — |
| tmux | tmux | >= 0 < 1.4-6 | 1.4-6 |
| tmux | tmux | >= 0 < 1.4-6 | 1.4-6 |
| tmux | tmux | >= 0 < 1.4-6 | 1.4-6 |
| tmux | tmux | >= 0 < 1.4-6 | 1.4-6 |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv4.6MEDIUM
vendor_debian4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ph56-qx6x-j8xv: tmux 1
ghsa_unreviewed·2022-05-17
CVE-2011-1496 [MEDIUM] GHSA-ph56-qx6x-j8xv: tmux 1
tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option.
OSV
CVE-2011-1496: tmux 1
osv·2011-04-18·CVSS 4.6
CVE-2011-1496 [MEDIUM] CVE-2011-1496: tmux 1
tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option.
Debian
CVE-2011-1496: tmux - tmux 1.3 and 1.4 does not properly drop group privileges, which allows local use...
vendor_debian·2011·CVSS 4.6
CVE-2011-1496 [MEDIUM] CVE-2011-1496: tmux - tmux 1.3 and 1.4 does not properly drop group privileges, which allows local use...
tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option.
Scope: local
bookworm: resolved (fixed in 1.4-6)
bullseye: resolved (fixed in 1.4-6)
forky: resolved (fixed in 1.4-6)
sid: resolved (fixed in 1.4-6)
trixie: resolved (fixed in 1.4-6)
No detection rules found.
Bugzilla
CVE-2011-1496 tmux does not drop group tmux privileges properly [epel-all]
bugzilla·2011-04-07·CVSS 4.6
CVE-2011-1496 [MEDIUM] CVE-2011-1496 tmux does not drop group tmux privileges properly [epel-all]
CVE-2011-1496 tmux does not drop group tmux privileges properly [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=693824
Please note: this issue affects multiple
Bugzilla
CVE-2011-1496 tmux does not drop group tmux privileges properly [fedora-all]
bugzilla·2011-04-07·CVSS 4.6
CVE-2011-1496 [MEDIUM] CVE-2011-1496 tmux does not drop group tmux privileges properly [fedora-all]
CVE-2011-1496 tmux does not drop group tmux privileges properly [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=693824
Please note: this issue affects multip
Bugzilla
CVE-2011-1496 tmux does not drop group tmux privileges properly
bugzilla·2011-04-05·CVSS 4.6
CVE-2011-1496 [MEDIUM] CVE-2011-1496 tmux does not drop group tmux privileges properly
CVE-2011-1496 tmux does not drop group tmux privileges properly
Created attachment 490029
updated patch from Debian (tmux_1.4-6)
A Debian bug report [1] noted that tmux did not drop group privileges properly. On Debian this is a bit of a security risk as tmux seems to be sgid utmp, but on Fedora it is sgid tmux. In the interest of correcting the behaviour, I'm filing this bug but not as a security bug. This also would affect tmux in EPEL.
To reproduce:
% SHELL="/bin/dash" tmux -S my_socket
$ id
uid=1001(vdanen) gid=1001(vdanen) egid=482(tmux) groups=1001(vdanen) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Debian has corrected it with an updated patch (attached).
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620304
Discussion:
This has been assigned the CVE
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058367.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058452.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058548.htmlhttp://secunia.com/advisories/44081http://secunia.com/advisories/44239http://www.debian.org/security/2011/dsa-2212http://www.exploit-db.com/exploits/17147http://www.securityfocus.com/bid/47283http://www.vupen.com/english/advisories/2011/0897http://www.vupen.com/english/advisories/2011/1002http://www.vupen.com/english/advisories/2011/1015https://exchange.xforce.ibmcloud.com/vulnerabilities/66693http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058367.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058452.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058548.htmlhttp://secunia.com/advisories/44081http://secunia.com/advisories/44239http://www.debian.org/security/2011/dsa-2212http://www.exploit-db.com/exploits/17147http://www.securityfocus.com/bid/47283http://www.vupen.com/english/advisories/2011/0897http://www.vupen.com/english/advisories/2011/1002http://www.vupen.com/english/advisories/2011/1015https://exchange.xforce.ibmcloud.com/vulnerabilities/66693
2011-04-18
Published