Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 69868 - app-sci/gimps,setiathome,chessbrain: insecure installation
Summary: app-sci/gimps,setiathome,chessbrain: insecure installation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-02 12:09 UTC by Ulrich Müller
Modified: 2006-03-23 19:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ulrich Müller gentoo-dev 2004-11-02 12:09:53 UTC
app-sci/gimps-23.9 installs /opt/gimps/mprime with ownership nobody:nogroup.
In the default configuration, the initscript executes it as root user.
If /opt is mounted via NFS, it might be possible to overwrite mprime by an arbitrary binary.

The same applies to the stable -23.5 version.

(Probably, it should be the other way around: the binary should be owned by root and run as a special user.)
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-02 13:00:28 UTC
Hi Michal,

Please commit a fixed version.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-04 13:31:20 UTC
sci please fix setiathome,chessbrain and any other applications with similar issues.
Comment 3 Michal Januszewski (RETIRED) gentoo-dev 2004-11-04 14:39:59 UTC
Gimps is now fixed.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-06 07:18:58 UTC
sci please fix this ASAP.
Comment 5 Olivier Fisette (RETIRED) gentoo-dev 2004-11-07 11:18:03 UTC
Fixed for "app-sci/chessbrain".

"app-sci/foldingathome" is also affected.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-07 12:13:17 UTC
Thanks Olivier. 

sci please fix foldingathome also.
Comment 7 Olivier Fisette (RETIRED) gentoo-dev 2004-11-07 12:20:09 UTC
Fixed "app-sci/setiathome-3.08" (the version for x86 and amd64).

Could someone with access to either ppc, sparc, hppa or ia64 please do the same for version 3.03? This seems to be the last affected package.

"app-sci/foldingathome" is not affected. (That was my mistake.)
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-07 12:56:55 UTC
Olivier just update the ebuilds and mark stable on the arches you have access to. Security will handle stable marking for other arches.
Comment 9 Olivier Fisette (RETIRED) gentoo-dev 2004-11-07 13:32:01 UTC
Fixed "app-sci/setiathome-3.03". All four supported arches are marked unstable.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-07 13:46:38 UTC
Arches please mark setiathome stable. Fixed versions are 3.03-r2 and 3.08-r4.

Combined target keywords for setiathome:

x86 amd64 ppc sparc -alpha hppa ia64
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2004-11-08 05:56:38 UTC
sparc has following problems with setiathome-3.03-r2:
1) If you happen to have USE='X', installation fails because there is no xsetiathome;
2) If you do not have USE='X', the program installed at /opt/setiathome/setiathome is
   not made executable:  You need to do 'chmod +x /opt/setiathome/setihome' by hand.
(Previous 3.03-r1 ebuild takes care of this, but I do not know if the deletion was intentional or not.
In any event, as it stands, what is installed for -r2 cannot be used but -r1 can be.)
========================
setiathome-3.08 is a nonstarter for sparc, since it does not actually exist.

Regards,
Ferris
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-08 06:53:12 UTC
Back to ebuild status.  Olivier please fix.
Comment 13 Olivier Fisette (RETIRED) gentoo-dev 2004-11-08 07:41:33 UTC
Should be fixed in CVS, but I cannot test it.
Comment 14 Ferris McCormick (RETIRED) gentoo-dev 2004-11-08 08:21:45 UTC
setiathome-3.03-r2 now installs and runs for sparc; sparc done.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-08 11:19:29 UTC
Back to stable marking. Thx Olivier.
Comment 16 Jochen Maes (RETIRED) gentoo-dev 2004-11-09 01:23:28 UTC
setiathome stable on ppc
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-13 00:00:27 UTC
Thx Ferris. Please remember to remove arch from CC when you mark stable.
Comment 18 Ferris McCormick (RETIRED) gentoo-dev 2004-11-13 05:06:27 UTC
Sorry.  It wasn't completely clear to me that setiathome was the only thing that needed looking at.  (Although I guess Comment 7 gives a pretty good indication.)
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-14 10:36:06 UTC
GLSA drafted Security please review.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-17 14:28:00 UTC
GLSA 200411-26

sci please remember to remove old vulnerable ebuilds that are no longer needed.
Comment 21 Olivier Fisette (RETIRED) gentoo-dev 2004-11-18 05:53:48 UTC
Removed insecure versions for "app-sci/{gimp,chessbrain}". Must hppa and ia64 
mark "app-sci/setiathome-3.03-r2" stable before I remove r1, or should I remove 
it immediately?
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-11-18 14:01:30 UTC
Yes, you should remove r1 only when hppa and ia64 mark "app-sci/setiathome-3.03-r2" stable.
Comment 23 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:03:48 UTC
Removed hppa keyword because the tarball is not available