This vulnerability has already been fixed; it only needs a stabilization (bug #573250) and the removal of the affected version. The old init script for mythtv calls chown recursively on two directories: chown -R mythtv:video /var/log/mythtv/ chown -R mythtv:video /home/mythtv/ Once the mythtv user owns those directories, he can place hard links in them. The next time mythtv is started, the recursive chown affects the targets of those hardlinks, giving control of them to the mythtv user. In that way, mythtv (or anyone in the video group) can take (group) ownership of any file on the system. For example, $ sudo su mythtv -c 'ln /home/mjo/foo.txt /home/mythtv/foo.txt' $ sudo /etc/init.d/mythbackend start $ ls ~/foo.txt -rw-r--r-- 2 mythtv video 6 2016-12-22 13:29 /home/mjo/foo.txt This was fixed in mythbackend.init-r2 by calling checkpath non-recursively.
Sorry about that, didn't notice I was still listed on the project page. I'm going to un-CC from this as I haven't touched mythtv in a while. Depending on cardoe's activity level somebody else may need to stabilize this.
I haven't used MythTV since at least April and no longer have it installed as well. I'll remove myself from the project page as well. It looks like this is just waiting on x86 to stabilize it or be dropped. They never responded on #573250 and once they do we can remove the vulnerable versions.
The affected version has been removed from the tree, so this is fixed. It wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right now.
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
(In reply to Michael Orlitzky from comment #3) > The affected version has been removed from the tree, so this is fixed. It > wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right > now. @proxy maintainer, see if this is applicable still and apply accordingly. I'm going to close this as the tree is clean but still investigate if it's useful.