Javier Fern
Javier Fernández-Sanguino Peña from the Debian Security Audit Team has discovered that the vdr daemon which is used for video disk recorders for DVB cards can overwrite arbitrary files. Not sure if one of you has vdr running as root as well, but we had this situation in our slightly old stable release. If it is running as a separate user, you're fine. If it is running as root, the attached patch will fix this problem. Please let me know if you require coordination with this vulnerability.
Created attachment 48663 [details, diff] CAN-2005-0071.patch
I'm really not sure on this one, as the conditions seem pretty pathetic to execute this bug. I mean.. if the person has root access, wth, who needs vdr to remove aribtrary files :|. You just rm -rf / and you're caused more damage than this will ever cause. Maybe it's just me.. but it seems like you'd have to be some sort of computer macochist(sp?) to actually do damage with this. I'll apply the patch shortly though just to make people happy...
I guess a malicious user theoretically could control the DVB input for dvr and thus exploit this vulnerability.
Looks like Debian is affected because they are starting the vdr daemon as root. My question is, do we have an rc-script to run that daemon at startup ? If so, does it make use of the root user or a specific user ? If we don't provide init scripts to run it as startup or if those init scripts use a specific user, then I think it's shallow and should be dropped. But if like Debian we provide an init script to start it on startup as root, then we should probably fix... I didn't manage to install it on my amd64 (pulls weird depends) so I couldn't test it. Hope someone else will be able to answer that question. From what Chris says I understand it's not automatically started so perhaps it's just better to ignore this.
Created attachment 49363 [details, diff] vdr-1.2.6_CAN-2005-0071.patch Current patch does not apply to 1.2.6 (filenames changed). Here is a patch adapted for VDR 1.2.6, untested.
I think this applies to us because "runvdr" runs as root by default. Given the scope it's probably better to wait for this to be public.
Public now: Debian Security Advisory DSA 656-1 Unclassified signoff:koon/jaervosz media-video herd, please apply attached patch
tested and commited.
luckyduck/media-video: please create a new revision for the ebuilds, so that people with vdr installed can get the fix by upgrading.
ok, done
GLSA vote. We issue GLSAs for tmpfile vulns and Debian issued one, so I vote YES.
I vote YES to this one as well.
GLSA 200501-42