Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135020 - dev-util/motor: ktools buffer overflow / privilege escalation (CVE-2005-3863)
Summary: dev-util/motor: ktools buffer overflow / privilege escalation (CVE-2005-3863)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/20329
Whiteboard: C2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-31 03:14 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-09-07 14:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-31 03:14:49 UTC
Hi;

i thought this was an old issue (GLSA200512-11, CVE-2005-3694, CVE-2005-3863) but at least dev-utils/motor seems to remain unpatched.
3.3.0 is stable in our tree; 3.4.0 is ~arched  (x86, ppc)
(Last dev-utils/motor/Changelog mtime = Apr 24  2005)

Debian has just issued DSA-1083-1 concerning this issue : http://www.debian.org/security/2006/dsa-1083
Debian mentions execution of arbitrary code.

----------------

Software:	Motor 3.x

CVE reference:	CVE-2005-3863

Description:
A vulnerability has been reported in Motor, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to the use of a vulnerable version of the ktools library.

For more information:
SA17768

The vulnerability has been reported in version 3.4.0. Other versions may also be affected.

Solution:
Restrict use of affected applications to only accept input from trusted sources.

Some Linux vendors have issued fixed packages.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-31 03:18:24 UTC
patch below :

--- motor-3.2.2.orig/kkstrtext/kkstrtext.h
+++ motor-3.2.2/kkstrtext/kkstrtext.h
@@ -83,7 +83,7 @@
     { \
        va_list vgs__ap; char vgs__buf[1024]; \
        va_start(vgs__ap, fmt); \
-       vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
+       vsnprintf(vgs__buf, 1024, fmt, vgs__ap); c = vgs__buf; \
        va_end(vgs__ap); \
     }


http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1.diff.gz

i'm not sure this is exploitable for code injection
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 14:28:25 UTC
Hi liquidx, please provide a fixed ebuild if possible. Thanks in advance.

Sec-team, we should decide if this is exploitable or not for a GLSA decision.
Comment 3 Wolf Giesen (RETIRED) gentoo-dev 2006-06-12 00:10:47 UTC
Hm, as far as I can see, local threat -> execute code, but I don't yet see the privilege escalation here.

Did somebody check whether the other apps depending on ktools were fixed? centericq had glsa-200512-11, groan seems not to be in portage, but Orpheus is, and looking at the Changelog the last change was before the bug was discovered. Not sure of the impact, though.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 07:12:43 UTC
Any news on this one?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-07-29 05:43:07 UTC
liquidx please advise
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-08-12 07:42:48 UTC
We should probably patch this one ourselves or hunt that maintainer down.
Comment 7 Alastair Tse (RETIRED) gentoo-dev 2006-08-22 02:22:08 UTC
Sorry, I didn't even realise I still maintain this package. So what is the solution? Get 3.4.0 to portage or apply that patch?
Comment 8 Alastair Tse (RETIRED) gentoo-dev 2006-08-22 03:14:14 UTC
Committed patch from debian that is the same as the one in the comments. bumped for motor-3.3.0-r1 and motor-3.4.0-r1 for stable and unstable respectively. I've taken the liberty to mark it stable for motor-3.3.0 for x86, so we need ppc to mark motor-3.3.0-r1 stable as well
Comment 9 Wormo (RETIRED) gentoo-dev 2006-08-22 15:24:28 UTC
3.3.0-r1 doesn't seem to work too well here, after I create a project it doesn't get added to the project list.

On the other hand, 3.4.0-r1 does work fine, so I'll stable it and you can get rid of the vulnerable 3.3.0
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-23 08:20:39 UTC
This one is ready for GLSA.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-31 10:06:41 UTC
GLSA 200608-27 sent but does not appear on some gentoo-announce recipients...
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-09-05 06:03:31 UTC
Falco, either we should close this one or resend (unless it has mysteriously appeared in the meantime).
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-09-07 14:14:55 UTC
glsa resent and received :)