Bug 78429

Summary:

media-sound/playmidi: Local root vulnerability

Product:

Gentoo Security

Reporter:

Luke Macken (RETIRED) <lewk>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED INVALID

Severity:

normal

CC:

sound

Priority:

High

Version:

unspecified

Hardware:

All

OS:

All

URL:

http://www.debian.org/security/2005/dsa-641

Whiteboard:

C1 [ebuild] lewk

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
CAN-2005-0020.patch	none

Description Luke Macken (RETIRED) gentoo-dev

2005-01-17 14:55:11 UTC

CAN-2005-0020

Erik Sj?lund discovered that playmidi, a MIDI player, contains a
setuid root program with a buffer overflow that can be exploited by a
local attacker.

Comment 1 Luke Macken (RETIRED) gentoo-dev

2005-01-17 14:55:57 UTC

Created attachment 48784 [details, diff]
CAN-2005-0020.patch

Patch yoinked from Debian's diff.

Comment 2 Luke Macken (RETIRED) gentoo-dev

2005-01-17 14:56:58 UTC

sound, please verify/apply patch.

Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev

2005-01-18 01:09:22 UTC

in cvs.  ready for GLSA.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-01-18 01:15:37 UTC

AFAICT we don't have any of playmidi installed SUID root so this doesn't affect us. sound team, please confirm... In which case it's good to have the fixed version in portage but calling arch testing and GLSA is overkill.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-01-18 01:54:46 UTC

-rwxr-xr-x  1 root root 51212 Jan 18 10:51 /usr/bin/gtkplaymidi
-rwxr-xr-x  1 root root 46796 Jan 18 10:51 /usr/bin/playmidi
-rwxr-xr-x  1 root root 41772 Jan 18 10:51 /usr/bin/splaymidi
-rwxr-xr-x  1 root root 46988 Jan 18 10:51 /usr/bin/xplaymidi

Our playmidi doesn't contain any SUID root program. This is not a vulnerability to us, even if it was a bug that it was better to fix.