|Summary:||media-video/vdr CAN-2005-0071: overwrites arbitrary files (Vendor-Sec)|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa] koon|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen (RETIRED) 2005-01-16 08:47:37 UTC
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-16 08:47:37 UTC
Javier Fernández-Sanguino Peña from the Debian Security Audit Team has discovered that the vdr daemon which is used for video disk recorders for DVB cards can overwrite arbitrary files. Not sure if one of you has vdr running as root as well, but we had this situation in our slightly old stable release. If it is running as a separate user, you're fine. If it is running as root, the attached patch will fix this problem. Please let me know if you require coordination with this vulnerability.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-16 08:49:27 UTC
Created attachment 48663 [details, diff] CAN-2005-0071.patch
Comment 3 Chris White (RETIRED) 2005-01-17 10:32:35 UTC
I'm really not sure on this one, as the conditions seem pretty pathetic to execute this bug. I mean.. if the person has root access, wth, who needs vdr to remove aribtrary files :|. You just rm -rf / and you're caused more damage than this will ever cause. Maybe it's just me.. but it seems like you'd have to be some sort of computer macochist(sp?) to actually do damage with this. I'll apply the patch shortly though just to make people happy...
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-17 14:44:18 UTC
I guess a malicious user theoretically could control the DVB input for dvr and thus exploit this vulnerability.
Comment 5 Thierry Carrez (RETIRED) 2005-01-18 01:13:03 UTC
Looks like Debian is affected because they are starting the vdr daemon as root. My question is, do we have an rc-script to run that daemon at startup ? If so, does it make use of the root user or a specific user ? If we don't provide init scripts to run it as startup or if those init scripts use a specific user, then I think it's shallow and should be dropped. But if like Debian we provide an init script to start it on startup as root, then we should probably fix... I didn't manage to install it on my amd64 (pulls weird depends) so I couldn't test it. Hope someone else will be able to answer that question. From what Chris says I understand it's not automatically started so perhaps it's just better to ignore this.
Comment 6 Thierry Carrez (RETIRED) 2005-01-24 05:38:22 UTC
Created attachment 49363 [details, diff] vdr-1.2.6_CAN-2005-0071.patch Current patch does not apply to 1.2.6 (filenames changed). Here is a patch adapted for VDR 1.2.6, untested.
Comment 7 Thierry Carrez (RETIRED) 2005-01-24 05:39:59 UTC
I think this applies to us because "runvdr" runs as root by default. Given the scope it's probably better to wait for this to be public.
Comment 8 Thierry Carrez (RETIRED) 2005-01-25 08:06:33 UTC
Public now: Debian Security Advisory DSA 656-1 Unclassified signoff:koon/jaervosz media-video herd, please apply attached patch
Comment 9 Jan Brinkmann (RETIRED) 2005-01-25 08:15:45 UTC
tested and commited.
Comment 10 Thierry Carrez (RETIRED) 2005-01-27 06:53:03 UTC
luckyduck/media-video: please create a new revision for the ebuilds, so that people with vdr installed can get the fix by upgrading.
Comment 11 Jan Brinkmann (RETIRED) 2005-01-27 07:09:12 UTC
Comment 12 Thierry Carrez (RETIRED) 2005-01-27 07:16:31 UTC
GLSA vote. We issue GLSAs for tmpfile vulns and Debian issued one, so I vote YES.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-29 02:22:13 UTC
I vote YES to this one as well.
Comment 14 Thierry Carrez (RETIRED) 2005-01-30 10:51:12 UTC