Erik Sj
Erik Sjölund discovered that zhcon, a fast console CJK system using the Linux framebuffer, accesses a user-controlled configuration file with elevated privileges. Thus, it is possible to read arbitrary files. Please let me know if you need coordination for this bug. This patch fixes the problem --- zhcon-0.2.orig/src/configfile.cpp +++ zhcon-0.2/src/configfile.cpp @@ -19,13 +19,20 @@ #include <stdexcept> #include <fstream> #include <cstdlib> +#include <unistd.h> +#include <sys/types.h> #include "configfile.h" ConfigFile::ConfigFile(const char *fn) { + uid_t euid; + + euid = geteuid(); + setuid(getuid()); ifstream in(fn); if (!in) throw runtime_error("Could not open config file!"); ParseFile(in); + setuid(euid); } ConfigFile::~ConfigFile() {}
Maybe better wait for public disclosure on this one ?
Created attachment 49025 [details, diff] CAN-2005-0072.patch Better patch, please ignore previous one.
public @ http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:012 cjk, please apply patch.
There is no one maintaining zhcon right now. The package is out of date, but just remove from portage.
I've just got this mail today (had mail problem for a week). I'll apply the patch asap.
patch applied with zhcon-0.2.3-r1. in cvs.
Ready for GLSA vote
I tend to vote for no GLSA on this one (few installs).
not sure about the exact procedure, but both debian and mandrake posted one.
Alastair: we follow our own rules :) See vulnerability treatment policy at http://www.gentoo.org/security/en/vulnerability-policy.xml. zhcon looks like a local tool which requires access to framebuffer console. If you have physical access to the machine, being able to read arbitrary files is probably the least you can do... so I tend to vote NO. Third opinion ?
koon, valid point. i'll leave it up to you guys to decide the severity :)
I'd say GLSA is ok for this one.
Eh, I would have to vote no.
Closing without GLSA. If anyone disagrees feel free to reopen.