CVE-2016-2856
published 2016-03-14CVE-2016-2856: pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8…
PriorityP345high8.4CVSS 3.0
AVLACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.08%
60.9th percentile
pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc package before 2.21-0ubuntu4.2 on Ubuntu 15.10 and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the --enable-pt_chown option.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | glibc | < glibc 2.21-1 (bookworm) | glibc 2.21-1 (bookworm) |
| eglibc | eglibc | >= 0 < 2.19-0ubuntu6.8 | 2.19-0ubuntu6.8 |
| eglibc | eglibc | >= 0 < 2.19-0ubuntu6.9 | 2.19-0ubuntu6.9 |
| gnu | glibc | >= 0 < 2.21-1 | 2.21-1 |
| gnu | glibc | >= 0 < 2.21-1 | 2.21-1 |
| gnu | glibc | >= 0 < 2.21-1 | 2.21-1 |
| gnu | glibc | >= 0 < 2.21-1 | 2.21-1 |
CVSS provenance
nvdv3.08.4HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.4HIGH
vendor_debian8.4LOW
vendor_ubuntu2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2wf2-64hh-9h2m: pt_chown in the glibc package before 2
ghsa_unreviewed·2022-05-17
CVE-2016-2856 [HIGH] GHSA-2wf2-64hh-9h2m: pt_chown in the glibc package before 2
pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc package before 2.21-0ubuntu4.2 on Ubuntu 15.10 and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the --enable-pt_chown option.
OSV
eglibc, glibc regression
osv·2016-05-26·CVSS 2.6
CVE-2014-9761 [LOW] eglibc, glibc regression
eglibc, glibc regression
USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for
CVE-2014-9761 introduced a regression which affected applications that
use the libm library but were not fully restarted after the upgrade.
This update removes the fix for CVE-2014-9761 and a future update
will be provided to address this issue.
We apologize for the inconvenience.
Original advisory details:
Martin Carpenter discovered that pt_chown in the GNU C Library did not
properly check permissions for tty files. A local attacker could use this
to gain administrative privileges or expose sensitive information.
(CVE-2013-2207, CVE-2016-2856)
Robin Hack discovered that the Name Service Switch (NSS) implementation in
the GNU C Library did not properly manage its file descriptors. An attacker
OSV
eglibc, glibc vulnerabilities
osv·2016-05-25·CVSS 2.6
CVE-2013-2207 [LOW] eglibc, glibc vulnerabilities
eglibc, glibc vulnerabilities
Martin Carpenter discovered that pt_chown in the GNU C Library did not
properly check permissions for tty files. A local attacker could use this
to gain administrative privileges or expose sensitive information.
(CVE-2013-2207, CVE-2016-2856)
Robin Hack discovered that the Name Service Switch (NSS) implementation in
the GNU C Library did not properly manage its file descriptors. An attacker
could use this to cause a denial of service (infinite loop).
(CVE-2014-8121)
Joseph Myers discovered that the GNU C Library did not properly handle long
arguments to functions returning a representation of Not a Number (NaN). An
attacker could use this to cause a denial of service (stack exhaustion
leading to an application crash) or possibly execute arbitrary code.
(CVE
OSV
CVE-2016-2856: pt_chown in the glibc package before 2
osv·2016-03-14·CVSS 8.4
CVE-2016-2856 [HIGH] CVE-2016-2856: pt_chown in the glibc package before 2
pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc package before 2.21-0ubuntu4.2 on Ubuntu 15.10 and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the --enable-pt_chown option.
Ubuntu
GNU C Library regression
vendor_ubuntu·2016-05-26·CVSS 2.6
CVE-2014-9761 [LOW] GNU C Library regression
Title: GNU C Library regression
Summary: USN-2985-1 introduced a regression in the GNU C Library.
USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for
CVE-2014-9761 introduced a regression which affected applications that
use the libm library but were not fully restarted after the upgrade.
This update removes the fix for CVE-2014-9761 and a future update
will be provided to address this issue.
We apologize for the inconvenience.
Original advisory details:
Martin Carpenter discovered that pt_chown in the GNU C Library did not
properly check permissions for tty files. A local attacker could use this
to gain administrative privileges or expose sensitive information.
(CVE-2013-2207, CVE-2016-2856)
Robin Hack discovered that the Name Service Switch (NSS) implementation in
th
Ubuntu
GNU C Library vulnerabilities
vendor_ubuntu·2016-05-25·CVSS 2.6
CVE-2013-2207 [LOW] GNU C Library vulnerabilities
Title: GNU C Library vulnerabilities
Summary: Several security issues were fixed in the GNU C Library.
Martin Carpenter discovered that pt_chown in the GNU C Library did not
properly check permissions for tty files. A local attacker could use this
to gain administrative privileges or expose sensitive information.
(CVE-2013-2207, CVE-2016-2856)
Robin Hack discovered that the Name Service Switch (NSS) implementation in
the GNU C Library did not properly manage its file descriptors. An attacker
could use this to cause a denial of service (infinite loop).
(CVE-2014-8121)
Joseph Myers discovered that the GNU C Library did not properly handle long
arguments to functions returning a representation of Not a Number (NaN). An
attacker could use this to cause a denial of service (stack exhaustion
Debian
CVE-2016-2856: glibc - pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc ...
vendor_debian·2016·CVSS 8.4
CVE-2016-2856 [HIGH] CVE-2016-2856: glibc - pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc ...
pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc package before 2.21-0ubuntu4.2 on Ubuntu 15.10 and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the --enable-pt_chown option.
Scope: local
bookworm: resolved (fixed in 2.21-1)
bullseye: resolved (fixed in 2.21-1)
for
No detection rules found.
No writeups or analysis indexed.
http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=09f7764882a81e13e7b5d87d715412283a6ce403http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=11475c083282c1582c4dd72eecfcb2b7d308c958http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2856.htmlhttp://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/http://www.openwall.com/lists/oss-security/2016/02/23/3http://www.openwall.com/lists/oss-security/2016/03/07/2http://www.securityfocus.com/bid/84601http://www.ubuntu.com/usn/USN-2985-1http://www.ubuntu.com/usn/USN-2985-2http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=09f7764882a81e13e7b5d87d715412283a6ce403http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=11475c083282c1582c4dd72eecfcb2b7d308c958http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2856.htmlhttp://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/http://www.openwall.com/lists/oss-security/2016/02/23/3http://www.openwall.com/lists/oss-security/2016/03/07/2http://www.securityfocus.com/bid/84601http://www.ubuntu.com/usn/USN-2985-1http://www.ubuntu.com/usn/USN-2985-2
2016-03-14
Published