Report forwarded to debian-bugs-dist@lists.debian.org, Adrian Bridgett <bridgett@debian.org>: Bug#366816; Package xmcd.
(full text, mbox, link).
Acknowledgement sent to Justin B Rye <jbr@edlug.org.uk>:
New Bug report received and forwarded. Copy sent to Adrian Bridgett <bridgett@debian.org>.
(full text, mbox, link).
Package: xmcd
Version: 2.6-17.1
Severity: grave
Tags: security patch
Justification: causes non-serious data loss
Symptoms: /usr/sbin/xmcdconfig creates directories world-writeable
below /var/lib/cddb and /var/lib/xmcd/discog
Risk: unprivileged users (including any subverted PHP-script running
as "nobody") can fill up the filesystem, or delete all my
collected cddb discography data.
This bug has been noticed before, and attempted fixes are already
present in the postinsts for cddb and xmcd - the permissions they're
aiming at are the much saner "root:audio 03775". Unfortunately,
/usr/sbin/xmcdconfig may be run _after_ these install-time chmod-Rs,
and it explicitly sets:
OWNER=root
GROUP=root
CDIRPERM=777
...then calls "make_dir $CDDBDIR/$i $CDIRPERM $OWNER $GROUP" and
"make_dir $DISCOGDIR/$i $CDIRPERM $OWNER $GROUP".
Since xmcdconfig starts out as $SOURCE/libdi_d/config.sh, you'd
think it would be easy to fix. Alas, those OWNER and GROUP lines
are initially set to =bin, then munged by a sed invocation in
$SOURCE/install.sh to match the $OWNER and $GROUP used everywhere
else in the install process.
In other words, I don't see a clean and simple patch. So here's an
ugly one.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i586)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.xamanek
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages xmcd depends on:
ii cddb 2.6-17.1 CD DataBase support tools
ii lesstif1 1:0.93.94-12 OSF/Motif 1.2 implementation relea
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libncurses5 5.5-1.1 Shared libraries for terminal hand
ii libx11-6 6.9.0.dfsg.1-6 X Window System protocol client li
ii libxt6 6.9.0.dfsg.1-6 X Toolkit Intrinsics
ii zlib1g 1:1.2.3-11 compression library - runtime
-- no debconf information
--
JBR
Ankh kak! (Ancient Egyptian blessing)
Information forwarded to debian-bugs-dist@lists.debian.org, Adrian Bridgett <bridgett@debian.org>: Bug#366816; Package xmcd.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Adrian Bridgett <bridgett@debian.org>.
(full text, mbox, link).
This bug is also known as CVE-2006-2542. Please mention this in the
changelog.
A more suitable patch to fix this problem imho is the attached one.
Regards,
Joey
--
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 366816-submitter@bugs.debian.org
Subject: Debian bug #366816
Date: Thu, 26 Oct 2006 22:29:18 +0100
Hi,
You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #366816 in the xmcd
package, which you reported.
Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.
Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.
Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.
[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:
- the bug was fixed in one version but subsequently found to exist
in a later version
- the bug existed in multiple distributions (for instance, "unstable"
and "stable") and was thus fixed in a separate upload to each
distribution
]
Regards,
Adam
Bug marked as fixed in version 2.6-17.2, send any further explanations to Justin B Rye <jbr@edlug.org.uk>
Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 17:39:14 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.