Debian Bug report logs - #366816
xmcdconfig creates cddb directories with mode 777

version graph

Package: xmcd; Maintainer for xmcd is Debian QA Group <packages@qa.debian.org>;

Reported by: Justin B Rye <jbr@edlug.org.uk>

Date: Thu, 11 May 2006 11:18:01 UTC

Severity: grave

Tags: fixed, patch, security

Found in version xmcd/2.6-17.1

Fixed in version 2.6-17.2

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Adrian Bridgett <bridgett@debian.org>:
Bug#366816; Package xmcd. Full text and rfc822 format available.

Acknowledgement sent to Justin B Rye <jbr@edlug.org.uk>:
New Bug report received and forwarded. Copy sent to Adrian Bridgett <bridgett@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Justin B Rye <jbr@edlug.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xmcdconfig creates cddb directories with mode 777
Date: Thu, 11 May 2006 12:06:24 +0100
[Message part 1 (text/plain, inline)]
Package: xmcd
Version: 2.6-17.1
Severity: grave
Tags: security patch
Justification: causes non-serious data loss

Symptoms: /usr/sbin/xmcdconfig creates directories world-writeable
	below /var/lib/cddb and /var/lib/xmcd/discog

Risk: unprivileged users (including any subverted PHP-script running
	as "nobody") can fill up the filesystem, or delete all my
	collected cddb discography data.

This bug has been noticed before, and attempted fixes are already
present in the postinsts for cddb and xmcd - the permissions they're
aiming at are the much saner "root:audio 03775".  Unfortunately,
/usr/sbin/xmcdconfig may be run _after_ these install-time chmod-Rs,
and it explicitly sets:

 OWNER=root        
 GROUP=root         
 CDIRPERM=777         

...then calls "make_dir $CDDBDIR/$i $CDIRPERM $OWNER $GROUP" and
"make_dir $DISCOGDIR/$i $CDIRPERM $OWNER $GROUP".

Since xmcdconfig starts out as $SOURCE/libdi_d/config.sh, you'd
think it would be easy to fix.  Alas, those OWNER and GROUP lines
are initially set to =bin, then munged by a sed invocation in
$SOURCE/install.sh to match the $OWNER and $GROUP used everywhere
else in the install process.

In other words, I don't see a clean and simple patch.  So here's an
ugly one.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i586)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.xamanek
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages xmcd depends on:
ii  cddb                      2.6-17.1       CD DataBase support tools
ii  lesstif1                  1:0.93.94-12   OSF/Motif 1.2 implementation relea
ii  libc6                     2.3.6-7        GNU C Library: Shared libraries
ii  libncurses5               5.5-1.1        Shared libraries for terminal hand
ii  libx11-6                  6.9.0.dfsg.1-6 X Window System protocol client li
ii  libxt6                    6.9.0.dfsg.1-6 X Toolkit Intrinsics
ii  zlib1g                    1:1.2.3-11     compression library - runtime

-- no debconf information
-- 
JBR
Ankh kak! (Ancient Egyptian blessing)
[xmcdconfig-perms-kludge.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Adrian Bridgett <bridgett@debian.org>:
Bug#366816; Package xmcd. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Adrian Bridgett <bridgett@debian.org>. Full text and rfc822 format available.

Message #10 received at 366816@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 366816@bugs.debian.org
Subject: CVE-2006-2542
Date: Thu, 25 May 2006 20:35:13 +0200
[Message part 1 (text/plain, inline)]
This bug is also known as CVE-2006-2542.  Please mention this in the
changelog.

A more suitable patch to fix this problem imho is the attached one.

Regards,

	Joey

-- 
Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.
[patch.CVE-2006-2542.xmcd (text/plain, attachment)]

Tags added: fixed Request was from Julien Danjou <acid@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Justin B Rye <jbr@edlug.org.uk>:
Bug#366816. Full text and rfc822 format available.

Message #15 received at 366816-submitter@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 366816-submitter@bugs.debian.org
Subject: Debian bug #366816
Date: Thu, 26 Oct 2006 22:29:18 +0100
Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #366816 in the xmcd 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam



Bug marked as fixed in version 2.6-17.2, send any further explanations to Justin B Rye <jbr@edlug.org.uk> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 17:39:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 17:24:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.