Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 156152 - net-misc/smb4k vulnerabilities
Summary: net-misc/smb4k vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1/3?? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-24 12:53 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-03-11 00:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-11-24 12:53:29 UTC
I was asked to check over smb4k's[1] recent update (involving sudoers 
mangling[2]).  After convincing myself that the bug itself wasn't a 
security issue (beyond it being a self-DoS), I did a quick audit and 
found a number of other problems.  We are not interested in an embargo.  
If no one else wants an embargo, I will open an upstream report for 
these problems on 2006-11-28.

In general, smb4k's base design is dangerous; anyone added to the smb4k 
group list has the ability to arbitrarily kill any process with 
"sudo smb4k_kill".

Specific programming errors:
- smb4k/core/smb4kfileio.cpp
  - priv escalation: writeFile uses mktemp, allowing a difficult race 
    on sudoers file writing.
  - information leak: writeFile stores the contents of sudoers without 
    enforcing strict permissions, allowing world-readable contents.
  - data destruction: remove_lock_file race allows arbitrary user-owned 
    files to be mucked with.
- utilities/smb4k_*.cpp:
  - priv escalation: when used along with the "sudo" configuration, all 
    of the tools have stack overflows with args variable, as well as 
    other strcpy uses that could be a problem in the future.


[1] http://smb4k.berlios.de/
[2] http://developer.berlios.de/project/shownotes.php?release_id=11138

-- 
Kees Cook
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-13 04:48:02 UTC
quick note before lunch...

http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769
http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769

those appear to be the upstream bugs he filed... guess this can be opened then later
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-14 06:10:53 UTC
opening the bug, since the bugs over at berlios are public

looks like this will be fixed upstream soon, kde herd please have an eye on this
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-22 03:31:59 UTC
0.8.0 is in tree, but considering the size of the changes, I wouldn't consider that for stable yet.
I've removed the 0.7.x series and now working on getting 0.6.10a+security patch working.
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-22 03:39:36 UTC
0.6.10a + security patch in tree.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-22 04:13:38 UTC
Thx Diego.

Arches please test and mark stable. Target keywords are:

smb4k-0.6.10a.ebuild:KEYWORDS="amd64 ppc x86"
Comment 6 Markus Meier gentoo-dev 2006-12-22 08:07:17 UTC
net-misc/smb4k-0.6.10a  USE="-arts -debug -xinerama"
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.4 i686)
=================================================================
System uname: 2.6.18.4 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Fri, 22 Dec 2006 14:00:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 7 Samuli Suominen gentoo-dev 2006-12-23 04:37:26 UTC
Stable on x86 by Ticho
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-23 07:29:49 UTC
ppc stable
Comment 9 Thomas Tuttle 2006-12-23 08:12:16 UTC
Tried to test in my amd64 chroot but ran in to an unrelated kdelibs bug (it won't emerge without X).  I'm trying it on my main system (with X) now, and will report results.
Comment 10 Thomas Tuttle 2006-12-23 12:54:21 UTC
Works for me on amd64.

emerge --info:

Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.19-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz
Gentoo Base System version 1.12.6
Last Sync: Sat, 23 Dec 2006 18:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks metadata-transfer multilib-strict prelink sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo"
LINGUAS="en en_US"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi aiglx alsa alsa_cards_hda-intel alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol arts berkdb bitmap-fonts cairo cdda cddb cdinstall cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd exif fam firefox flac fortran gdbm gif gnome gpm gstreamer gtk gtk2 hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipv6 isdnlog java5 jce jikes jpeg kde kernel_linux ldap libg++ linguas_en linguas_en_US lirc lirc_devices_streamzap mad mikmod mp3 mpeg ncurses nls nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl srvdir ssl symlink tcpd theora truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_i810 video_cards_i945 video_cards_vesa vorbis x264 xml xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-01-23 10:09:51 UTC
amd64 stable
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 20:52:38 UTC
TTV (time to vote)

The most severe vuln sounds like a hard-to-do local priv escalation.
http://developer.berlios.de/bugs/?func=detailbug&bug_id=9630&group_id=769

I vote Yes
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 22:38:38 UTC
i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. 

Let's have one btw :)
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-11 00:52:02 UTC
GLSA 200703-09, thanks everybody and closing.