Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 135020

Summary: dev-util/motor: ktools buffer overflow / privilege escalation (CVE-2005-3863)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: enhancement CC: liquidx, wormo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C2 [glsa] Falco
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-31 03:14:49 UTC

i thought this was an old issue (GLSA200512-11, CVE-2005-3694, CVE-2005-3863) but at least dev-utils/motor seems to remain unpatched.
3.3.0 is stable in our tree; 3.4.0 is ~arched  (x86, ppc)
(Last dev-utils/motor/Changelog mtime = Apr 24  2005)

Debian has just issued DSA-1083-1 concerning this issue :
Debian mentions execution of arbitrary code.


Software:	Motor 3.x

CVE reference:	CVE-2005-3863

A vulnerability has been reported in Motor, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to the use of a vulnerable version of the ktools library.

For more information:

The vulnerability has been reported in version 3.4.0. Other versions may also be affected.

Restrict use of affected applications to only accept input from trusted sources.

Some Linux vendors have issued fixed packages.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-31 03:18:24 UTC
patch below :

--- motor-3.2.2.orig/kkstrtext/kkstrtext.h
+++ motor-3.2.2/kkstrtext/kkstrtext.h
@@ -83,7 +83,7 @@
     { \
        va_list vgs__ap; char vgs__buf[1024]; \
        va_start(vgs__ap, fmt); \
-       vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
+       vsnprintf(vgs__buf, 1024, fmt, vgs__ap); c = vgs__buf; \
        va_end(vgs__ap); \

i'm not sure this is exploitable for code injection
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 14:28:25 UTC
Hi liquidx, please provide a fixed ebuild if possible. Thanks in advance.

Sec-team, we should decide if this is exploitable or not for a GLSA decision.
Comment 3 Wolf Giesen (RETIRED) gentoo-dev 2006-06-12 00:10:47 UTC
Hm, as far as I can see, local threat -> execute code, but I don't yet see the privilege escalation here.

Did somebody check whether the other apps depending on ktools were fixed? centericq had glsa-200512-11, groan seems not to be in portage, but Orpheus is, and looking at the Changelog the last change was before the bug was discovered. Not sure of the impact, though.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 07:12:43 UTC
Any news on this one?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-07-29 05:43:07 UTC
liquidx please advise
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-08-12 07:42:48 UTC
We should probably patch this one ourselves or hunt that maintainer down.
Comment 7 Alastair Tse (RETIRED) gentoo-dev 2006-08-22 02:22:08 UTC
Sorry, I didn't even realise I still maintain this package. So what is the solution? Get 3.4.0 to portage or apply that patch?
Comment 8 Alastair Tse (RETIRED) gentoo-dev 2006-08-22 03:14:14 UTC
Committed patch from debian that is the same as the one in the comments. bumped for motor-3.3.0-r1 and motor-3.4.0-r1 for stable and unstable respectively. I've taken the liberty to mark it stable for motor-3.3.0 for x86, so we need ppc to mark motor-3.3.0-r1 stable as well
Comment 9 Wormo (RETIRED) gentoo-dev 2006-08-22 15:24:28 UTC
3.3.0-r1 doesn't seem to work too well here, after I create a project it doesn't get added to the project list.

On the other hand, 3.4.0-r1 does work fine, so I'll stable it and you can get rid of the vulnerable 3.3.0
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-23 08:20:39 UTC
This one is ready for GLSA.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-31 10:06:41 UTC
GLSA 200608-27 sent but does not appear on some gentoo-announce recipients...
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-05 06:03:31 UTC
Falco, either we should close this one or resend (unless it has mysteriously appeared in the meantime).
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-07 14:14:55 UTC
glsa resent and received :)