69868 – app-sci/gimps,setiathome,chessbrain: insecure installation

Bug 69868 - app-sci/gimps,setiathome,chessbrain: insecure installation

Summary: app-sci/gimps,setiathome,chessbrain: insecure installation

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	x86 Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2004-11-02 12:09 UTC by Ulrich Müller
Modified:	2006-03-23 19:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ulrich Müller gentoo-dev

2004-11-02 12:09:53 UTC

app-sci/gimps-23.9 installs /opt/gimps/mprime with ownership nobody:nogroup.
In the default configuration, the initscript executes it as root user.
If /opt is mounted via NFS, it might be possible to overwrite mprime by an arbitrary binary.

The same applies to the stable -23.5 version.

(Probably, it should be the other way around: the binary should be owned by root and run as a special user.)

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-02 13:00:28 UTC

Hi Michal,

Please commit a fixed version.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-04 13:31:20 UTC

sci please fix setiathome,chessbrain and any other applications with similar issues.

Comment 3 Michal Januszewski (RETIRED) gentoo-dev

2004-11-04 14:39:59 UTC

Gimps is now fixed.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-06 07:18:58 UTC

sci please fix this ASAP.

Comment 5 Olivier Fisette (RETIRED) gentoo-dev

2004-11-07 11:18:03 UTC

Fixed for "app-sci/chessbrain".

"app-sci/foldingathome" is also affected.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-07 12:13:17 UTC

Thanks Olivier. 

sci please fix foldingathome also.

Comment 7 Olivier Fisette (RETIRED) gentoo-dev

2004-11-07 12:20:09 UTC

Fixed "app-sci/setiathome-3.08" (the version for x86 and amd64).

Could someone with access to either ppc, sparc, hppa or ia64 please do the same for version 3.03? This seems to be the last affected package.

"app-sci/foldingathome" is not affected. (That was my mistake.)

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-07 12:56:55 UTC

Olivier just update the ebuilds and mark stable on the arches you have access to. Security will handle stable marking for other arches.

Comment 9 Olivier Fisette (RETIRED) gentoo-dev

2004-11-07 13:32:01 UTC

Fixed "app-sci/setiathome-3.03". All four supported arches are marked unstable.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-07 13:46:38 UTC

Arches please mark setiathome stable. Fixed versions are 3.03-r2 and 3.08-r4.

Combined target keywords for setiathome:

x86 amd64 ppc sparc -alpha hppa ia64

Comment 11 Ferris McCormick (RETIRED) gentoo-dev

2004-11-08 05:56:38 UTC

sparc has following problems with setiathome-3.03-r2:
1) If you happen to have USE='X', installation fails because there is no xsetiathome;
2) If you do not have USE='X', the program installed at /opt/setiathome/setiathome is
   not made executable:  You need to do 'chmod +x /opt/setiathome/setihome' by hand.
(Previous 3.03-r1 ebuild takes care of this, but I do not know if the deletion was intentional or not.
In any event, as it stands, what is installed for -r2 cannot be used but -r1 can be.)
========================
setiathome-3.08 is a nonstarter for sparc, since it does not actually exist.

Regards,
Ferris

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-08 06:53:12 UTC

Back to ebuild status.  Olivier please fix.

Comment 13 Olivier Fisette (RETIRED) gentoo-dev

2004-11-08 07:41:33 UTC

Should be fixed in CVS, but I cannot test it.

Comment 14 Ferris McCormick (RETIRED) gentoo-dev

2004-11-08 08:21:45 UTC

setiathome-3.03-r2 now installs and runs for sparc; sparc done.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-08 11:19:29 UTC

Back to stable marking. Thx Olivier.

Comment 16 Jochen Maes (RETIRED) gentoo-dev

2004-11-09 01:23:28 UTC

setiathome stable on ppc

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-13 00:00:27 UTC

Thx Ferris. Please remember to remove arch from CC when you mark stable.

Comment 18 Ferris McCormick (RETIRED) gentoo-dev

2004-11-13 05:06:27 UTC

Sorry.  It wasn't completely clear to me that setiathome was the only thing that needed looking at.  (Although I guess Comment 7 gives a pretty good indication.)

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-14 10:36:06 UTC

GLSA drafted Security please review.

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-17 14:28:00 UTC

GLSA 200411-26

sci please remember to remove old vulnerable ebuilds that are no longer needed.

Comment 21 Olivier Fisette (RETIRED) gentoo-dev

2004-11-18 05:53:48 UTC

Removed insecure versions for "app-sci/{gimp,chessbrain}". Must hppa and ia64 
mark "app-sci/setiathome-3.03-r2" stable before I remove r1, or should I remove 
it immediately?

Comment 22 Thierry Carrez (RETIRED) gentoo-dev

2004-11-18 14:01:30 UTC

Yes, you should remove r1 only when hppa and ia64 mark "app-sci/setiathome-3.03-r2" stable.

Comment 23 René Nussbaumer (RETIRED) gentoo-dev

2005-06-26 05:03:48 UTC

Removed hppa keyword because the tarball is not available