Hi, as one of the lcdproc developers (http://lcdproc.org) I was a bit astonished to find an ebuild of lcdproc-0.4.1 in the gentoo CVS. The client communication code in the server core of 0.4.1 didn't check for buffer overflows and is therefore vulnerable to a potential remote exploit. http://online.securityfocus.com/archive/1/56411 Considering the fact that LCDd is run as ROOT this must be seen as a serious threat to any system running LCDd (0.4.1). However, this was fixed long ago. Also, LCDd can now be configured to listen to 127.0.0.1 only (default) and to run as a normal user unless direct I/O access is neccessary for parport devices. The current stable version of LCDproc is 0.4.3. Yet, the 0.4.3 ebuild is masked out (~x86) and is in a generally poor state. The author of the ebuild obviously missed the fact that LCDd now has its own configuration file and of course relies on its existence. Also a pseudo configuration file /etc/conf.d/lcdproc will most definitely irritate every user trying to set up LCDproc (We've had that with the debian package, which still shouldn't be seen as a reference package.). I strongly recommend applying the patches I've attached and REMOVING the lcdproc-0.4.1 ebuild. I've attached a tar.gz of the complete ebuild (minus ChangeLog), a patch against the current lcdproc-0.4.3.ebuild, a patch against the "files/lcdproc" init script (which also adds "files/lcdd", a seperate init script for LCDd), and "files/lcdproc-0.4.3-gentoo.diff", a patch against lcdproc-0.4.3 fixing a memory leak in the main loop of LCDd and other issues. Regards, Rene
Created attachment 6978 [details] lcdproc-0.4.3.tar.gz $ tar cvfz lcdproc-0.4.3.tar.gz lcdproc lcdproc/ lcdproc/files/ lcdproc/files/lcdproc lcdproc/files/lcdproc-0.4.3-gentoo.diff lcdproc/files/LCDd lcdproc/lcdproc-0.4.3.ebuild
Created attachment 6979 [details] lcdproc-0.4.3.ebuild.diff $ diff -u /usr/portage/app-misc/lcdproc/lcdproc-0.4.3.ebuild lcdproc-0.4.3.ebuild > ~/ebuilds/lcdproc-submitted/lcdproc-0.4.3.ebuild.diff - updates description - updates homepage URL - unmasks this ebuild - adds USE flags support (doc ncurses svga) - adds support for compiling only a given list of drivers (env LCDPROC_DRIVERS=...) - adds ncurses and svgalib dependencies - patches the lcdproc sources to fix a few bugs (including a serious memory leak in the main loop of LCDd) - ./configure's the package properly - generates html documentation from docbook sources if "doc" is in $USE - fixes various file locations - installs configuration files and proper init scripts
Created attachment 6980 [details] lcdproc-0.4.3-init-scripts.diff - separate init scripts for LCDd (server) and lcdproc (client) - fixes due to new configuration file (/etc/LCDd.conf) - uses /etc/lcdproc.conf (now only parsed be the init script, which will probably change in future LCDproc versions) - adds depend() {...}
Created attachment 6981 [details] lcdproc-0.4.3-gentoo.diff This is a patch against lcdproc-0.4.3 retrieved directly from the LCDproc CVS. - fixes a serious memory leak in the main loop of LCDd - adds some missing code for configuration file parsing (I once forgot to commit server/main.c to CVS) - fixes an improper variable type
Commited, thanks for the updates! A glsa will also be sent regarding this.
