Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 603488

Summary: =media-tv/mythtv-0.27_p20140321: root privilege escalation via init script
Product: Gentoo Security Reporter: Michael Orlitzky <mjo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: cardoe, proxy-maint, security-audit, thebitpit
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=540006
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2016-12-22 18:32:43 UTC 
This vulnerability has already been fixed; it only needs a stabilization (bug #573250) and the removal of the affected version.

The old init script for mythtv calls chown recursively on two directories:

  chown -R mythtv:video /var/log/mythtv/
  chown -R mythtv:video /home/mythtv/

Once the mythtv user owns those directories, he can place hard links in them. The next time mythtv is started, the recursive chown affects the targets of those hardlinks, giving control of them to the mythtv user. In that way, mythtv (or anyone in the video group) can take (group) ownership of any file on the system. For example,

  $ sudo su mythtv -c 'ln /home/mjo/foo.txt /home/mythtv/foo.txt'
  $ sudo /etc/init.d/mythbackend start
  $ ls ~/foo.txt
  -rw-r--r-- 2 mythtv video 6 2016-12-22 13:29 /home/mjo/foo.txt

This was fixed in mythbackend.init-r2 by calling checkpath non-recursively.
Comment 1 Richard Freeman gentoo-dev 2016-12-22 19:55:37 UTC 
Sorry about that, didn't notice I was still listed on the project page.  I'm going to un-CC from this as I haven't touched mythtv in a while.  Depending on cardoe's activity level somebody else may need to stabilize this.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2016-12-23 20:52:12 UTC 
I haven't used MythTV since at least April and no longer have it installed as well. I'll remove myself from the project page as well.

It looks like this is just waiting on x86 to stabilize it or be dropped. They never responded on #573250 and once they do we can remove the vulnerable versions.
Comment 3 Michael Orlitzky gentoo-dev 2017-04-23 00:06:42 UTC 
The affected version has been removed from the tree, so this is fixed. It wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right now.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:42 UTC 
Unrestricting and reassigning to security@ per bug #705894
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:04 UTC 
unrestricting per bug 705894
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 17:59:57 UTC 
(In reply to Michael Orlitzky from comment #3)
> The affected version has been removed from the tree, so this is fixed. It
> wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right
> now.

@proxy maintainer, see if this is applicable still and apply accordingly.

I'm going to close this as the tree is clean but still investigate if it's useful.