92494 2005-05-13 06:26 0000 app-cdr/cdrdao: Unspecified Privilege Escalation Vulnerability 2006-03-24 07:09:48 0000 1 1 1 Unclassified Gentoo Security Default Configs unspecified All All RESOLVED FIXED http://secunia.com/advisories/15354/ [stable] jaervosz P2 normal --- 1 formula7@gentoo.org security@gentoo.org pylon@gentoo.org formula7@gentoo.org 2005-05-13 06:26:13 0000 Description: A vulnerability has been reported in cdrdao, which potentially can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to an unspecified error, which may be exploited to gain root privileges. Successful exploitation requires that cdrdao has been installed setuid root. Solution: Update to version 1.2.0. http://sourceforge.net/project/showfiles.php?group_id=2171 jaervosz@gentoo.org 2005-05-13 07:11:01 0000 From ChangeLog: o SECURITY FIX: cdrdao now gives up its root privileges after setting up real-time scheduling, as well as before saving settings through the --save option. This fixes a potential local root exploit when cdrdao is installed with the +s chmod flag. Using --save now also forces an early exit after the settings are saved. Lars please bump. vorlon@gentoo.org 2005-05-24 04:24:29 0000 correcting component jaervosz@gentoo.org 2005-05-25 06:59:12 0000 Vorlon afaik this only makes cdr drop privs, there is no known vuln fixed as such, no? Lars please bump. jaervosz@gentoo.org 2005-06-23 05:13:45 0000 Lars any news on this one? pylon@gentoo.org 2005-06-29 13:14:11 0000 Stupid cdrdao-homepage. The 1.2.0-version is listed in sourceforge, but not on their homepage. I currently try to install 1.2.0 with the latest 1.1.9-ebuild. pylon@gentoo.org 2005-06-29 14:24:20 0000 Two things: 1) The vulnerability works only with cdrdao installed setuid root (as the first posting states). This is not the default within Gentoo. 2) As an information in advance: The gnome interface gcdmaster which can be built with cdrdao needs the following packages stable for version cdrdao-1.2.0: >=dev-cpp/gconfmm-2.6 >=dev-cpp/libglademm-2.4 >=dev-cpp/gnome-vfsmm-2.6 >=dev-cpp/libgnomecanvasmm-2.6 >=dev-cpp/libgnomemm-2.6 >=dev-cpp/libgnomeuimm-2.6 These are all gnome-herd packages. Please ask if the packages are ready for stable usage. I'll add a testing masked version of cdrdao-1.2.0 as soon as it has been compiled on my machine. dercorny@gentoo.org 2005-06-30 07:05:37 0000 Added gnome to CC like requested by foser - he will take a look when he has some time. vorlon@gentoo.org 2005-07-09 12:09:06 0000 any news on this one? jaervosz@gentoo.org 2005-07-21 00:44:32 0000 foser/pylon any news on this one? pylon@gentoo.org 2005-07-21 04:23:55 0000 See my comment #6. I'm waiting for the gnome-herd masking some packages stable. Otherwise a newer cdrdao won't become stable. dang@gentoo.org 2005-07-21 08:02:17 0000 These are all owned by the gnome-mm herd, adding to cc. ka0ttic@gentoo.org 2005-07-21 08:46:17 0000 I'll work on the others, but pYrania maintains gnome-vfsmm. ka0ttic@gentoo.org 2005-07-21 10:12:15 0000 >=dev-cpp/gconfmm-2.6 <- done >=dev-cpp/libglademm-2.4 <- done earlier this week >=dev-cpp/gnome-vfsmm-2.6 <- waiting on pYrania >=dev-cpp/libgnomecanvasmm-2.6 <- done by someone else at some point >=dev-cpp/libgnomemm-2.6 <- done >=dev-cpp/libgnomeuimm-2.6 <- waiting on gnome-vfsmm stable pylon@gentoo.org 2005-07-21 15:58:44 0000 >=dev-cpp/gnome-vfsmm-2.6 <- it's stable now on x86. Now we can get >=dev-cpp/libgnomeuimm-2.6 stable. ppc, ppc64 and sparc are already ready for the cdrdao-upgrade. There is no other open bug from it's testing phase. When all dependencies are done for x86, I'll mask cdrdao-1.2.0 stable. ka0ttic@gentoo.org 2005-07-21 17:00:23 0000 dev-cpp/libgnomeuimm-2.6.0 stable on x86 pylon@gentoo.org 2005-07-21 22:55:56 0000 cdrdao-1.2.0 stable on x86 and ppc. Other arches should test and upgrade to cdrdao-1.2.0. pylon@gentoo.org 2005-07-21 23:01:06 0000 Arches, please test and make stable cdrdao-1.2.0. Current keywords: cdrdao-1.2.0: ~amd64 ppc ~ppc64 ~sparc x86 Target keywords: cdrdao-1.2.0: alpha amd64 hppa ia64 ppc ppc64 sparc x86 I previously dropped the alpha, hppa and ia64 keyword for this version as it contains major changes. corsair@gentoo.org 2005-07-22 01:44:32 0000 stable on ppc64 herbs@gentoo.org 2005-07-22 05:41:41 0000 Stable on amd64. gustavoz@gentoo.org 2005-07-22 06:42:25 0000 sparc stable. dercorny@gentoo.org 2005-07-22 11:19:30 0000 LLoydBates reported a minor problem with the ebuild, it adds 1.1.9 as version, not 1.2.0: # Add gentoo to version sed -i -e "s:^PACKAGE_STRING='cdrdao 1.1.9':PACKAGE_STRING='cdrdao 1.1.9 gentoo':" configure Removing remaining arches until another ebuild comes so that they can spend their time for other bugs ;) pylon@gentoo.org 2005-07-23 05:35:44 0000 Fix done (and in a way, it should not happen again ;-) ). Remaining arches are alpha, hppa and ia64. dercorny@gentoo.org 2005-07-23 05:46:25 0000 Alpha, ia64, hppa: please mark cdrdao-1.2.0 stable, thanks! killerfox@gentoo.org 2005-07-23 06:46:41 0000 We (hppa) are working on marking stable this ebuild. But we need further testing because of major changes. killerfox@gentoo.org 2005-07-30 02:58:05 0000 Now stable on hppa. Sorry for the delay. ferdy@gentoo.org 2005-07-30 16:27:13 0000 cdrdao is p.masked in alpha until we can mark cdrdao-1.2.0 stable. Cheers Ferdy koon@gentoo.org 2005-07-31 04:28:23 0000 I guess we can now close this one. Reopen if you disagree.