Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 63187 - app-cdr/cdrtools: fix local root vulnerability
Summary: app-cdr/cdrtools: fix local root vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] koon
Keywords: InVCS
Depends on:
Reported: 2004-09-07 22:05 UTC by Alin Năstac (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

scsi-remote.c.diff (scsi-remote.c.diff,540 bytes, patch)
2004-09-07 22:08 UTC, Alin Năstac (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alin Năstac (RETIRED) gentoo-dev 2004-09-07 22:05:59 UTC
I've looked into cdrecord-2.01-0.a28.2.100mdk package from Mandrake and saw a patch that isn't included in our current stable cdrecord ebuild. Also, I suspect that patch could also be applied to cdrecord-prodvd but I didn't verified.
Comment 1 Alin Năstac (RETIRED) gentoo-dev 2004-09-07 22:08:30 UTC
Created attachment 39179 [details, diff]

Resolve MDKSA-2004:091 issue.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-07 22:42:30 UTC
Pylon please verify and apply.

Mandrake advisory:

Max Vozeler found that the cdrecord program, which is suid root, fails to drop euid=0 when it exec()s a program specified by the user through the $RSH environment variable. This can be abused by a local attacker to obtain root privileges.

This has been assigned CAN-2004-0806
Comment 3 Lars Weiler (RETIRED) gentoo-dev 2004-09-08 07:13:32 UTC
We don't install cdrecord suid root by default.  The user has to act to change it's state.  E.g. k3b's setup utility allows to change the state, but we warn about it during installation of k3b.

I don't think that we need to apply the patch.  Security-team, you have the last word.
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2004-09-08 07:27:13 UTC
My 2 eurocents:
I think it would be best to apply this patch, even if security don't issue a glsa. Prolly there are gentooers who choosed to suid their cdrecord. Why not secure their cdrecord?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-09-08 07:50:08 UTC
I would say the patch should be applied. It's not the first time that we issue a GLSA on a non-by-default setup. And cdrecord must be SUID on a lot of machines.
Comment 6 solar (RETIRED) gentoo-dev 2004-09-08 16:52:12 UTC
I would add the patch and skip the GLSA process.
Comment 7 SpanKY gentoo-dev 2004-09-08 20:05:27 UTC
agreed, theres no reason not to add the patch

although people would have to +s cdrecord themselves i'd imagine people do since k3b supports it as such
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-09 12:05:08 UTC
Pylon please apply the patch.
Comment 9 solar (RETIRED) gentoo-dev 2004-09-13 22:47:06 UTC
The maintainer took to long so I added the patch to the following ebuilds.

We should still probably have the arches mark these stable. 
Perferably 2.01_alpha37-r1 and then remove the old ebuilds.

KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~ppc64 ~mips"

KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~ppc64 ~mips"
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-13 23:57:21 UTC
Arches please test and mark stable. Preferably 2.01_alpha37-r1 otherwise 2.01_alpha28-r2.
Comment 11 Alin Năstac (RETIRED) gentoo-dev 2004-09-14 00:01:37 UTC
jaervosz, don't forget about cdrecord-prodvd
Comment 12 Alin Năstac (RETIRED) gentoo-dev 2004-09-14 00:28:11 UTC
cdrrecord-prodvd does not compile cdrtools by itself.
thanks jaervosz for observing that.
sorry folks, my mistake.
Comment 13 Lars Weiler (RETIRED) gentoo-dev 2004-09-14 02:41:32 UTC
Sorry, I was not around the last days.

One sidenote: cdrtools-2.01_alpha37 could have some problems with kernel <2.6.8 and audio-cd-writing.  Furthermore I'm about to add cdrtools-2.01 (the stable version) to the tree.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-14 05:43:40 UTC
Thx Pylon. Arches please test and mark stable. Preferably 2.01 (just added) otherwise 2.01_alpha37-r1 or 2.01_alpha28-r2.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-14 08:05:25 UTC
2.01 stable on sparc, tested audio on 2.4 with -v -dao -pad just fine, also iso.
Comment 16 Guy Martin (RETIRED) gentoo-dev 2004-09-14 09:16:37 UTC
Stable on hppa.
Comment 17 Jason Huebel (RETIRED) gentoo-dev 2004-09-14 10:08:15 UTC
2.01 stable on amd64
Comment 18 Lars Weiler (RETIRED) gentoo-dev 2004-09-14 10:58:23 UTC
2.01 stable on x86 and ppc.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 11:19:52 UTC
GLSA drafted, security please review
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-14 14:29:21 UTC
GLSA 200409-18

alpha,ia64,mips,ppc64 don't forget to mark stable to benifit from GLSA.
Comment 21 Joshua Kinard gentoo-dev 2004-09-20 12:30:52 UTC
mips stable.
Comment 22 Tom Gall (RETIRED) gentoo-dev 2004-10-09 12:30:00 UTC
thanks, stable on ppc64