Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78230 - media-video/vdr CAN-2005-0071: overwrites arbitrary files (Vendor-Sec)
Summary: media-video/vdr CAN-2005-0071: overwrites arbitrary files (Vendor-Sec)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa] koon
Depends on:
Reported: 2005-01-16 08:47 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-01-30 10:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

CAN-2005-0071.patch (CAN-2005-0071.patch,1.03 KB, patch)
2005-01-16 08:49 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
vdr-1.2.6_CAN-2005-0071.patch (vdr-1.2.6_CAN-2005-0071.patch,893 bytes, patch)
2005-01-24 05:38 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-16 08:47:37 UTC
Javier Fern
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-16 08:47:37 UTC
Javier Fernández-Sanguino Peña from the Debian Security Audit Team has
discovered that the vdr daemon which is used for video disk recorders
for DVB cards can overwrite arbitrary files.

Not sure if one of you has vdr running as root as well, but we had
this situation in our slightly old stable release.  If it is running
as a separate user, you're fine.  If it is running as root, the
attached patch will fix this problem.

Please let me know if you require coordination with this vulnerability.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-16 08:49:27 UTC
Created attachment 48663 [details, diff]
Comment 3 Chris White (RETIRED) gentoo-dev 2005-01-17 10:32:35 UTC
I'm really not sure on this one, as the conditions seem pretty pathetic to execute this bug.  I mean.. if the person has root access, wth, who needs vdr to remove aribtrary files :|.  You just rm -rf / and you're caused more damage than this will ever cause.  Maybe it's just me.. but it seems like you'd have to be some sort of computer macochist(sp?) to actually do damage with this.  I'll apply the patch shortly though just to make people happy...
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-17 14:44:18 UTC
I guess a malicious user theoretically could control the DVB input for dvr and thus exploit this vulnerability.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 01:13:03 UTC
Looks like Debian is affected because they are starting the vdr daemon as root. My question is, do we have an rc-script to run that daemon at startup ? If so, does it make use of the root user or a specific user ?

If we don't provide init scripts to run it as startup or if those init scripts use a specific user, then I think it's shallow and should be dropped. But if like Debian we provide an init script to start it on startup as root, then we should probably fix...

I didn't manage to install it on my amd64 (pulls weird depends) so I couldn't test it. Hope someone else will be able to answer that question. From what Chris says I understand it's not automatically started so perhaps it's just better to ignore this.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 05:38:22 UTC
Created attachment 49363 [details, diff]

Current patch does not apply to 1.2.6 (filenames changed).
Here is a patch adapted for VDR 1.2.6, untested.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-24 05:39:59 UTC
I think this applies to us because "runvdr" runs as root by default.
Given the scope it's probably better to wait for this to be public.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-01-25 08:06:33 UTC
Public now: Debian Security Advisory DSA 656-1
Unclassified signoff:koon/jaervosz

media-video herd, please apply attached patch
Comment 9 Jan Brinkmann (RETIRED) gentoo-dev 2005-01-25 08:15:45 UTC
tested and commited.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 06:53:03 UTC
luckyduck/media-video: please create a new revision for the ebuilds, so that people with vdr installed can get the fix by upgrading.
Comment 11 Jan Brinkmann (RETIRED) gentoo-dev 2005-01-27 07:09:12 UTC
ok, done
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 07:16:31 UTC
GLSA vote. We issue GLSAs for tmpfile vulns and Debian issued one, so I vote YES.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-29 02:22:13 UTC
I vote YES to this one as well.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-01-30 10:51:12 UTC
GLSA 200501-42