|Summary:||=media-tv/mythtv-0.27_p20140321: root privilege escalation via init script|
|Product:||Gentoo Security||Reporter:||Michael Orlitzky <mjo>|
|Component:||Auditing||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||cardoe, proxy-maint, security-audit, thebitpit|
|Package list:||Runtime testing required:||---|
Description Michael Orlitzky 2016-12-22 18:32:43 UTC
This vulnerability has already been fixed; it only needs a stabilization (bug #573250) and the removal of the affected version. The old init script for mythtv calls chown recursively on two directories: chown -R mythtv:video /var/log/mythtv/ chown -R mythtv:video /home/mythtv/ Once the mythtv user owns those directories, he can place hard links in them. The next time mythtv is started, the recursive chown affects the targets of those hardlinks, giving control of them to the mythtv user. In that way, mythtv (or anyone in the video group) can take (group) ownership of any file on the system. For example, $ sudo su mythtv -c 'ln /home/mjo/foo.txt /home/mythtv/foo.txt' $ sudo /etc/init.d/mythbackend start $ ls ~/foo.txt -rw-r--r-- 2 mythtv video 6 2016-12-22 13:29 /home/mjo/foo.txt This was fixed in mythbackend.init-r2 by calling checkpath non-recursively.
Comment 1 Richard Freeman 2016-12-22 19:55:37 UTC
Sorry about that, didn't notice I was still listed on the project page. I'm going to un-CC from this as I haven't touched mythtv in a while. Depending on cardoe's activity level somebody else may need to stabilize this.
Comment 2 Doug Goldstein (RETIRED) 2016-12-23 20:52:12 UTC
I haven't used MythTV since at least April and no longer have it installed as well. I'll remove myself from the project page as well. It looks like this is just waiting on x86 to stabilize it or be dropped. They never responded on #573250 and once they do we can remove the vulnerable versions.
Comment 3 Michael Orlitzky 2017-04-23 00:06:42 UTC
The affected version has been removed from the tree, so this is fixed. It wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right now.
Comment 4 Robin Johnson 2020-04-03 23:16:42 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 6 Sam James 2020-05-24 17:59:57 UTC
(In reply to Michael Orlitzky from comment #3) > The affected version has been removed from the tree, so this is fixed. It > wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right > now. @proxy maintainer, see if this is applicable still and apply accordingly. I'm going to close this as the tree is clean but still investigate if it's useful.