Bug 92494

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-13 07:11:01 UTC

From ChangeLog:

 o  SECURITY FIX: cdrdao now gives up its root privileges after setting
    up real-time scheduling, as well as before saving settings through
    the --save option. This fixes a potential local root exploit when
    cdrdao is installed with the +s chmod flag. Using --save now also
    forces an early exit after the settings are saved.

Lars please bump.

Comment 2 Matthias Geerdsen (RETIRED) 2005-05-24 04:24:29 UTC

correcting component

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2005-05-25 06:59:12 UTC

Vorlon afaik this only makes cdr drop privs, there is no known vuln fixed as such, no?

Lars please bump.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2005-06-23 05:13:45 UTC

Lars any news on this one? 

Comment 5 Lars Weiler (RETIRED) 2005-06-29 13:14:11 UTC

Stupid cdrdao-homepage.  The 1.2.0-version is listed in sourceforge, but not on
their homepage.

I currently try to install 1.2.0 with the latest 1.1.9-ebuild.

Comment 6 Lars Weiler (RETIRED) 2005-06-29 14:24:20 UTC

Two things:
1) The vulnerability works only with cdrdao installed setuid root (as the first
posting states).  This is not the default within Gentoo.

2) As an information in advance:
The gnome interface gcdmaster which can be built with cdrdao needs the following
packages stable for version cdrdao-1.2.0:

>=dev-cpp/gconfmm-2.6
>=dev-cpp/libglademm-2.4
>=dev-cpp/gnome-vfsmm-2.6
>=dev-cpp/libgnomecanvasmm-2.6
>=dev-cpp/libgnomemm-2.6
>=dev-cpp/libgnomeuimm-2.6

These are all gnome-herd packages.  Please ask if the packages are ready for
stable usage.

I'll add a testing masked version of cdrdao-1.2.0 as soon as it has been
compiled on my machine.

Comment 7 Stefan Cornelius (RETIRED) 2005-06-30 07:05:37 UTC

Added gnome to CC like requested by foser - he will take a look when he has some
time.

Comment 8 Matthias Geerdsen (RETIRED) 2005-07-09 12:09:06 UTC

any news on this one?

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2005-07-21 00:44:32 UTC

foser/pylon any news on this one? 

Comment 10 Lars Weiler (RETIRED) 2005-07-21 04:23:55 UTC

See my comment #6.  I'm waiting for the gnome-herd masking some packages stable.
 Otherwise a newer cdrdao won't become stable.

Comment 11 Daniel Gryniewicz (RETIRED) 2005-07-21 08:02:17 UTC

These are all owned by the gnome-mm herd, adding to cc.

Comment 12 Aaron Walker (RETIRED) 2005-07-21 08:46:17 UTC

I'll work on the others, but pYrania maintains gnome-vfsmm.

Comment 13 Aaron Walker (RETIRED) 2005-07-21 10:12:15 UTC

>=dev-cpp/gconfmm-2.6 <- done
>=dev-cpp/libglademm-2.4 <- done earlier this week
>=dev-cpp/gnome-vfsmm-2.6 <- waiting on pYrania
>=dev-cpp/libgnomecanvasmm-2.6 <- done by someone else at some point
>=dev-cpp/libgnomemm-2.6 <- done
>=dev-cpp/libgnomeuimm-2.6 <- waiting on gnome-vfsmm stable

Comment 14 Lars Weiler (RETIRED) 2005-07-21 15:58:44 UTC

>=dev-cpp/gnome-vfsmm-2.6 <- it's stable now on x86.  Now we can get
>=dev-cpp/libgnomeuimm-2.6 stable.

ppc, ppc64 and sparc are already ready for the cdrdao-upgrade.  There is no
other open bug from it's testing phase.  When all dependencies are done for x86,
I'll mask cdrdao-1.2.0 stable.

Comment 15 Aaron Walker (RETIRED) 2005-07-21 17:00:23 UTC

dev-cpp/libgnomeuimm-2.6.0 stable on x86

Comment 16 Lars Weiler (RETIRED) 2005-07-21 22:55:56 UTC

cdrdao-1.2.0 stable on x86 and ppc.  Other arches should test and upgrade to
cdrdao-1.2.0.

Comment 17 Lars Weiler (RETIRED) 2005-07-21 23:01:06 UTC

Arches, please test and make stable cdrdao-1.2.0.

Current keywords:
cdrdao-1.2.0:  ~amd64 ppc ~ppc64 ~sparc x86
Target keywords:
cdrdao-1.2.0:  alpha amd64 hppa ia64 ppc ppc64 sparc x86

I previously dropped the alpha, hppa and ia64 keyword for this version as it
contains major changes.

Comment 18 Markus Rothe (RETIRED) 2005-07-22 01:44:32 UTC

stable on ppc64

Comment 19 Herbie Hopkins (RETIRED) 2005-07-22 05:41:41 UTC

Stable on amd64.

Comment 20 Gustavo Zacarias (RETIRED) 2005-07-22 06:42:25 UTC

sparc stable.

Comment 21 Stefan Cornelius (RETIRED) 2005-07-22 11:19:30 UTC

LLoydBates reported a minor problem with the ebuild, it adds 1.1.9 as version,
not 1.2.0:
# Add gentoo to version
sed -i -e "s:^PACKAGE_STRING='cdrdao 1.1.9':PACKAGE_STRING='cdrdao 1.1.9
gentoo':" configure

Removing remaining arches until another ebuild comes so that they can spend
their time for other bugs ;)

Comment 22 Lars Weiler (RETIRED) 2005-07-23 05:35:44 UTC

Fix done (and in a way, it should not happen again ;-) ).

Remaining arches are alpha, hppa and ia64.

Comment 23 Stefan Cornelius (RETIRED) 2005-07-23 05:46:25 UTC

Alpha, ia64, hppa: please mark cdrdao-1.2.0 stable, thanks!

Comment 24 René Nussbaumer (RETIRED) 2005-07-23 06:46:41 UTC

We (hppa) are working on marking stable this ebuild. But we need further testing
because of major changes.

Comment 25 René Nussbaumer (RETIRED) 2005-07-30 02:58:05 UTC

Now stable on hppa. Sorry for the delay.

Comment 26 Fernando J. Pereda (RETIRED) 2005-07-30 16:27:13 UTC

cdrdao is p.masked in alpha until we can mark cdrdao-1.2.0 stable.

Cheers
Ferdy

Comment 27 Thierry Carrez (RETIRED) 2005-07-31 04:28:23 UTC

I guess we can now close this one. Reopen if you disagree.