Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 128419 - media-sound/esound insufficient input validation
Summary: media-sound/esound insufficient input validation
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: RESTRICTED
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-01 11:01 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-12-27 01:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-01 11:01:48 UTC 
The library invokes commands in some situations with user supplied
input allowing `backticks` to be inserted and arbitary commands
executed.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-01 11:03:59 UTC 
Setting this as RESTRICTED until it is publicly available.

We should check wether any setuid or setgid binaries links to esound.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-07 23:29:39 UTC 
Leonardo please advise.
Comment 3 Leonardo Boshell (RETIRED) gentoo-dev 2006-04-10 12:13:16 UTC 
Do you have any more details about the problem? I'd appreciate any pointers to upstream bugs, discussions on ml's, test cases, etc.

Thanks.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-10 16:06:58 UTC 
Not at the moment but I can ask. However it is only an issue if we have any setuid/setgid binaries linking to it.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:34:05 UTC 
See list of rrdep at :
http://tinderbox.x86.dev.gentoo.org/misc/rindex/media-sound/esound
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 10:44:24 UTC 
I propose to close this one as invalid, pending an attack vector...
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-16 11:11:41 UTC 
Closing as INVALID for now.