82148 – Security update not applied to Synaesthesia Privilege Escalation Vulnerabilities

Bug 82148 - Security update not applied to Synaesthesia Privilege Escalation Vulnerabilities

Summary: Security update not applied to Synaesthesia Privilege Escalation Vulnerabilities

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/10945/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-02-15 12:17 UTC by eromang
Modified:	2005-02-15 13:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description eromang 2005-02-15 12:17:34 UTC

Some vulnerabilities have been reported in Synaesthesia, which potentially can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

 1) Synaesthesia creates a configuration file with root privileges, which is writable by the users group. This can potentially be exploited to escalate privileges.

 2) Synaesthesia reads configuration and mixer files with root privileges. This can potentially be exploited to disclose sensitive information.

Solution:
Remove the setuid bit.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.



Expected Results:  
Privilege escalation

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-02-15 13:36:29 UTC

Apparently our synaesthesia doesn't have the setuid bit. Please reopen if you disagree.