Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 702652

Summary: x11-misc/xscreensaver-5.43-r1 ships /usr/lib64/misc/xscreensaver/sonar with cap_net_raw by default
Product: Gentoo Security Reporter: Matthias Gerstner <mgerstner>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: desktop-misc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Matthias Gerstner 2019-12-13 09:14:12 UTC 
It seems with one of the more recent updates of xscreensaver, /usr/lib64/misc/xscreensaver/sonar is now by default installed with capability cap_net_raw, allowing it to map the network and network response times.

It is my understanding that in the past the `suid` use flag of xscreensaver was supposed to control this privilege of the sonar screensaver.

Upstream now added a configure switch `--with-setcap-hacks` which defaults to `yes` that seems to be the cause of this silently added privilege.

This is a decline in default security and users can't even explicitly remove this behaviour via use flags at the moment.

I suggest to pass by default `--with-setcap-hacks=no` and either tie this setting to the existing to the existing `suid` use flag or add a new use flag specifically for the capability setting.

Reproducible: Always

Steps to Reproduce:
1. emerge xscreensaver
2. getcap /usr/lib64/misc/xscreensaver/sonar

Actual Results:  
you will find that cap_net_raw is set on the sonar binary

Expected Results:  
no extra privileges should be set on the sonar binary by default
Comment 1 Larry the Git Cow gentoo-dev 2019-12-13 09:58:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39f6b50d8542413ba49747c3ae2d523b207718f3

commit 39f6b50d8542413ba49747c3ae2d523b207718f3
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-13 09:54:53 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-13 09:58:14 +0000

    x11-misc/xscreensaver: Add IUSE=caps
    
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/702652
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 x11-misc/xscreensaver/xscreensaver-5.43-r1.ebuild | 4 +++-
 x11-misc/xscreensaver/xscreensaver-5.43-r2.ebuild | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)