Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-16 08:47:37 UTC

Javier Fernández-Sanguino Peña from the Debian Security Audit Team has
discovered that the vdr daemon which is used for video disk recorders
for DVB cards can overwrite arbitrary files.

Not sure if one of you has vdr running as root as well, but we had
this situation in our slightly old stable release.  If it is running
as a separate user, you're fine.  If it is running as root, the
attached patch will fix this problem.

Please let me know if you require coordination with this vulnerability.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-16 08:49:27 UTC

Created attachment 48663 [details, diff]
CAN-2005-0071.patch

Comment 3 Chris White (RETIRED) 2005-01-17 10:32:35 UTC

I'm really not sure on this one, as the conditions seem pretty pathetic to execute this bug.  I mean.. if the person has root access, wth, who needs vdr to remove aribtrary files :|.  You just rm -rf / and you're caused more damage than this will ever cause.  Maybe it's just me.. but it seems like you'd have to be some sort of computer macochist(sp?) to actually do damage with this.  I'll apply the patch shortly though just to make people happy...

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-17 14:44:18 UTC

I guess a malicious user theoretically could control the DVB input for dvr and thus exploit this vulnerability.

Comment 5 Thierry Carrez (RETIRED) 2005-01-18 01:13:03 UTC

Looks like Debian is affected because they are starting the vdr daemon as root. My question is, do we have an rc-script to run that daemon at startup ? If so, does it make use of the root user or a specific user ?

If we don't provide init scripts to run it as startup or if those init scripts use a specific user, then I think it's shallow and should be dropped. But if like Debian we provide an init script to start it on startup as root, then we should probably fix...

I didn't manage to install it on my amd64 (pulls weird depends) so I couldn't test it. Hope someone else will be able to answer that question. From what Chris says I understand it's not automatically started so perhaps it's just better to ignore this.

Comment 6 Thierry Carrez (RETIRED) 2005-01-24 05:38:22 UTC

Created attachment 49363 [details, diff]
vdr-1.2.6_CAN-2005-0071.patch

Current patch does not apply to 1.2.6 (filenames changed).
Here is a patch adapted for VDR 1.2.6, untested.

Comment 7 Thierry Carrez (RETIRED) 2005-01-24 05:39:59 UTC

I think this applies to us because "runvdr" runs as root by default.
Given the scope it's probably better to wait for this to be public.

Comment 8 Thierry Carrez (RETIRED) 2005-01-25 08:06:33 UTC

Public now: Debian Security Advisory DSA 656-1
Unclassified signoff:koon/jaervosz

media-video herd, please apply attached patch

Comment 9 Jan Brinkmann (RETIRED) 2005-01-25 08:15:45 UTC

tested and commited.

Comment 10 Thierry Carrez (RETIRED) 2005-01-27 06:53:03 UTC

luckyduck/media-video: please create a new revision for the ebuilds, so that people with vdr installed can get the fix by upgrading.

Comment 11 Jan Brinkmann (RETIRED) 2005-01-27 07:09:12 UTC

ok, done

Comment 12 Thierry Carrez (RETIRED) 2005-01-27 07:16:31 UTC

GLSA vote. We issue GLSAs for tmpfile vulns and Debian issued one, so I vote YES.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2005-01-29 02:22:13 UTC

I vote YES to this one as well.

Comment 14 Thierry Carrez (RETIRED) 2005-01-30 10:51:12 UTC

GLSA 200501-42