[Pkg-wmaker-commits] [wmtv] 17/48: wmtv: Fix security hole.
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Mon Feb 1 20:13:21 UTC 2016
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to branch master
in repository wmtv.
commit b58502874740d52dd231dc82d6070f91ec53260d
Author: Doug Torrance <dtorrance at piedmont.edu>
Date: Mon Feb 1 00:45:10 2016 -0500
wmtv: Fix security hole.
Patch by Nicolas Boullis <Boullis.Nicolas at libertysurf.fr>. From [1]:
From: Nicolas Boullis <Boullis.Nicolas at libertysurf.fr>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: wmtv: dangerous suid root
Date: Thu, 08 Nov 2001 20:07:52 +0100
Hi !
I think there is a huge security hole with wmtv and, when wmtv is installed,
anyone can easily get a root account. Here is what I have in my terminal:
(everytime I launch wmtv, I double-clicked in the tv subwindow to call the
external program)
----------------------------------------------------------------------
Tintin:~> wmtv -e whoami
root
Tintin:~> cat > crack_root.sh
#!/bin/sh
cp /bin/sh /tmp
chmod u+s /tmp/sh
Tintin:~> chmod +x crack_root.sh
Tintin:~> wmtv -e ~/crack_root.sh
Tintin:~> ll /tmp/sh
-rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh*
----------------------------------------------------------------------
I tried to make wmtv non-suid root, and... sometimes it works (despite an
error message), sometimes it does not...
----------------------------------------------------------------------
Tintin:~> ll /usr/bin/X11/wmtv
-rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv*
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
wmtv: no physical frame buffer access
----------------------------------------------------------------------
Hence, I guess you should either correct wmtv so that it always work without
being suid root, or make wmtv lose its privileges before it runs an external
program.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
---
src/wmtv.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/wmtv.c b/src/wmtv.c
index d2998f5..7e2d663 100644
--- a/src/wmtv.c
+++ b/src/wmtv.c
@@ -249,7 +249,7 @@ main(int argc, char *argv[])
break;
case 'e':
exe = strdup(optarg);
- strcat(exe, " &");
+ /* strcat(exe, " &"); */
break;
case 'b':
fprintf(stderr, "wmtv: option not implemented yet\n");
@@ -439,7 +439,17 @@ main(int argc, char *argv[])
if (exe) {
ntfb_status = SETOFF;
TVOff();
- system(exe);
+ /* system(exe); */
+ if (fork() == (pid_t) 0) {
+ char *argv[4];
+ setuid(getuid()); /* Drop the privileges */
+ argv[0] = "sh";
+ argv[1] = "-c";
+ argv[2] = exe;
+ argv[3] = NULL;
+ execv("/bin/sh", argv);
+ exit(-1);
+ }
#if 0
pid = fork();
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmtv.git
More information about the Pkg-wmaker-commits
mailing list