Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603488 - =media-tv/mythtv-0.27_p20140321: root privilege escalation via init script
Summary: =media-tv/mythtv-0.27_p20140321: root privilege escalation via init script
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-22 18:32 UTC by Michael Orlitzky
Modified: 2020-05-24 17:59 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2016-12-22 18:32:43 UTC
This vulnerability has already been fixed; it only needs a stabilization (bug #573250) and the removal of the affected version.

The old init script for mythtv calls chown recursively on two directories:

  chown -R mythtv:video /var/log/mythtv/
  chown -R mythtv:video /home/mythtv/

Once the mythtv user owns those directories, he can place hard links in them. The next time mythtv is started, the recursive chown affects the targets of those hardlinks, giving control of them to the mythtv user. In that way, mythtv (or anyone in the video group) can take (group) ownership of any file on the system. For example,

  $ sudo su mythtv -c 'ln /home/mjo/foo.txt /home/mythtv/foo.txt'
  $ sudo /etc/init.d/mythbackend start
  $ ls ~/foo.txt
  -rw-r--r-- 2 mythtv video 6 2016-12-22 13:29 /home/mjo/foo.txt

This was fixed in mythbackend.init-r2 by calling checkpath non-recursively.
Comment 1 Richard Freeman gentoo-dev 2016-12-22 19:55:37 UTC
Sorry about that, didn't notice I was still listed on the project page.  I'm going to un-CC from this as I haven't touched mythtv in a while.  Depending on cardoe's activity level somebody else may need to stabilize this.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2016-12-23 20:52:12 UTC
I haven't used MythTV since at least April and no longer have it installed as well. I'll remove myself from the project page as well.

It looks like this is just waiting on x86 to stabilize it or be dropped. They never responded on #573250 and once they do we can remove the vulnerable versions.
Comment 3 Michael Orlitzky gentoo-dev 2017-04-23 00:06:42 UTC
The affected version has been removed from the tree, so this is fixed. It wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right now.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:42 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:04 UTC
unrestricting per bug 705894
Comment 6 Sam James archtester gentoo-dev Security 2020-05-24 17:59:57 UTC
(In reply to Michael Orlitzky from comment #3)
> The affected version has been removed from the tree, so this is fixed. It
> wouldn't hurt to kill "mythbackend.init" too, but nothing is using it right
> now.

@proxy maintainer, see if this is applicable still and apply accordingly.

I'm going to close this as the tree is clean but still investigate if it's useful.