Systemd Insecure PTY Handling Vulnerability

Author: hackerhouse-opensource

systemd-run-tty.txt

@@ -16,7 +16,7 @@ v256 that is based on the existing policykit and d-bus based "systemd-run"
 transient service execution. The code in "src/run/run.c" on line 1673 
 creates a PTY master and slave used for this process, and the slave 
 name is passed to unlockpt() on line 1689. This allows any process to 
-connect to "/dev/pts/0" interface as a slave, this interface is created 
+connect to e.g. "/dev/pts/4" slave interface, this interface is created 
 under the local user context executing "systemd-run". The code subsequently 
 uses a PTY forwarder (src/shared/ptyfwd.c) and d-bus once authentication
 by policykit is approved, the slave end of the pty created will be