I was asked to check over smb4k's[1] recent update (involving sudoers mangling[2]). After convincing myself that the bug itself wasn't a security issue (beyond it being a self-DoS), I did a quick audit and found a number of other problems. We are not interested in an embargo. If no one else wants an embargo, I will open an upstream report for these problems on 2006-11-28. In general, smb4k's base design is dangerous; anyone added to the smb4k group list has the ability to arbitrarily kill any process with "sudo smb4k_kill". Specific programming errors: - smb4k/core/smb4kfileio.cpp - priv escalation: writeFile uses mktemp, allowing a difficult race on sudoers file writing. - information leak: writeFile stores the contents of sudoers without enforcing strict permissions, allowing world-readable contents. - data destruction: remove_lock_file race allows arbitrary user-owned files to be mucked with. - utilities/smb4k_*.cpp: - priv escalation: when used along with the "sudo" configuration, all of the tools have stack overflows with args variable, as well as other strcpy uses that could be a problem in the future. [1] http://smb4k.berlios.de/ [2] http://developer.berlios.de/project/shownotes.php?release_id=11138 -- Kees Cook
quick note before lunch... http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769 http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769 those appear to be the upstream bugs he filed... guess this can be opened then later
opening the bug, since the bugs over at berlios are public looks like this will be fixed upstream soon, kde herd please have an eye on this
0.8.0 is in tree, but considering the size of the changes, I wouldn't consider that for stable yet. I've removed the 0.7.x series and now working on getting 0.6.10a+security patch working.
0.6.10a + security patch in tree.
Thx Diego. Arches please test and mark stable. Target keywords are: smb4k-0.6.10a.ebuild:KEYWORDS="amd64 ppc x86"
net-misc/smb4k-0.6.10a USE="-arts -debug -xinerama" 1. emerges on x86 2. passes collision test 3. works Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.4 i686) ================================================================= System uname: 2.6.18.4 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Fri, 22 Dec 2006 14:00:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Stable on x86 by Ticho
ppc stable
Tried to test in my amd64 chroot but ran in to an unrelated kdelibs bug (it won't emerge without X). I'm trying it on my main system (with X) now, and will report results.
Works for me on amd64. emerge --info: Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19-gentoo-r2 x86_64) ================================================================= System uname: 2.6.19-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz Gentoo Base System version 1.12.6 Last Sync: Sat, 23 Dec 2006 18:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=nocona" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -march=nocona" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer multilib-strict prelink sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo" LINGUAS="en en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi aiglx alsa alsa_cards_hda-intel alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol arts berkdb bitmap-fonts cairo cdda cddb cdinstall cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd exif fam firefox flac fortran gdbm gif gnome gpm gstreamer gtk gtk2 hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipv6 isdnlog java5 jce jikes jpeg kde kernel_linux ldap libg++ linguas_en linguas_en_US lirc lirc_devices_streamzap mad mikmod mp3 mpeg ncurses nls nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl srvdir ssl symlink tcpd theora truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_i810 video_cards_i945 video_cards_vesa vorbis x264 xml xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable
TTV (time to vote) The most severe vuln sounds like a hard-to-do local priv escalation. http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769 I vote Yes
i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. Let's have one btw :)
GLSA 200703-09, thanks everybody and closing.