Hi; i thought this was an old issue (GLSA200512-11, CVE-2005-3694, CVE-2005-3863) but at least dev-utils/motor seems to remain unpatched. 3.3.0 is stable in our tree; 3.4.0 is ~arched (x86, ppc) (Last dev-utils/motor/Changelog mtime = Apr 24 2005) Debian has just issued DSA-1083-1 concerning this issue : http://www.debian.org/security/2006/dsa-1083 Debian mentions execution of arbitrary code. ---------------- Software: Motor 3.x CVE reference: CVE-2005-3863 Description: A vulnerability has been reported in Motor, which potentially can be exploited by malicious, local users to perform certain actions with escalated privileges. The vulnerability is caused due to the use of a vulnerable version of the ktools library. For more information: SA17768 The vulnerability has been reported in version 3.4.0. Other versions may also be affected. Solution: Restrict use of affected applications to only accept input from trusted sources. Some Linux vendors have issued fixed packages.
patch below : --- motor-3.2.2.orig/kkstrtext/kkstrtext.h +++ motor-3.2.2/kkstrtext/kkstrtext.h @@ -83,7 +83,7 @@ { \ va_list vgs__ap; char vgs__buf[1024]; \ va_start(vgs__ap, fmt); \ - vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \ + vsnprintf(vgs__buf, 1024, fmt, vgs__ap); c = vgs__buf; \ va_end(vgs__ap); \ } http://security.debian.org/pool/updates/main/m/motor/motor_3.2.2-2woody1.diff.gz i'm not sure this is exploitable for code injection
Hi liquidx, please provide a fixed ebuild if possible. Thanks in advance. Sec-team, we should decide if this is exploitable or not for a GLSA decision.
Hm, as far as I can see, local threat -> execute code, but I don't yet see the privilege escalation here. Did somebody check whether the other apps depending on ktools were fixed? centericq had glsa-200512-11, groan seems not to be in portage, but Orpheus is, and looking at the Changelog the last change was before the bug was discovered. Not sure of the impact, though.
Any news on this one?
liquidx please advise
We should probably patch this one ourselves or hunt that maintainer down.
Sorry, I didn't even realise I still maintain this package. So what is the solution? Get 3.4.0 to portage or apply that patch?
Committed patch from debian that is the same as the one in the comments. bumped for motor-3.3.0-r1 and motor-3.4.0-r1 for stable and unstable respectively. I've taken the liberty to mark it stable for motor-3.3.0 for x86, so we need ppc to mark motor-3.3.0-r1 stable as well
3.3.0-r1 doesn't seem to work too well here, after I create a project it doesn't get added to the project list. On the other hand, 3.4.0-r1 does work fine, so I'll stable it and you can get rid of the vulnerable 3.3.0
This one is ready for GLSA.
GLSA 200608-27 sent but does not appear on some gentoo-announce recipients...
Falco, either we should close this one or resend (unless it has mysteriously appeared in the meantime).
glsa resent and received :)
