From: tuxslack <tuxslack@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [ISSUE] CVE-2024-28085
Date: Sun, 02 Jun 2024 09:08:45 +0200 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-50651@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 983 bytes --]
New issue by tuxslack on void-packages repository
https://github.com/void-linux/void-packages/issues/50651
Description:
### Is this a new report?
Yes
### System Info
wall
### Package(s) Affected
util-linux
### Does a report exist for this bug with the project's home (upstream) and/or another distro?
https://diolinux.com.br/noticias/wallescape-falha-no-linux-falso-sudo.html
https://nvd.nist.gov/vuln/detail/CVE-2024-28085
### Expected behaviour
versão 2.40
### Actual behaviour
$ wall -V
wall de util-linux 2.39.3
maintainer: Enno Boland
pkgname: util-linux
pkgver: util-linux-2.39.3_2
### Steps to reproduce
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
next reply other threads:[~2024-06-02 7:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-02 7:08 tuxslack [this message]
2024-06-02 10:43 ` CVE-2024-28085 classabbyamp
2024-06-11 5:31 ` CVE-2024-28085 tuxslack
2024-06-11 5:31 ` CVE-2024-28085 tuxslack
2024-06-11 5:39 ` [ISSUE] [CLOSED] CVE-2024-28085 classabbyamp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-50651@inbox.vuxu.org \
--to=tuxslack@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).