Bug#375534: vorbis-tools: Vorbiscoment changes the owner and
permissions of the ogg file.
Martintxo
martintxo at sindominio.net
Mon Jun 26 15:04:47 UTC 2006
Package: vorbis-tools
Version: 1.0.1-1.3
Severity: grave
Justification: user security hole
Tags: security
Hello:
I encountered this problem taggin some ogg and mp3 files with easytag, and
later tagtool, both from Sarge (my sistem is a Sarge environment, with a
few packages upgraded, and NO security upgrades :-/). So I test if it
appears too in the vorbiscoment command line tool, and I see that it is
affected too. So I don't know "where" to send this bugreport (I choose
vorbis-tools, but maybe there are another packages involved).
The problem NOT appears when taggin mp3 files, only ogg.
The problem may be resolved at this moment by the security system, but I
searched the BTS web interface and no encountered any reference to it. If
it is so, forget this report (and, if you can and it is easy, email me a
patch :-D).
The problem is that if you try to edit the vorbis tags of a ogg file that
you don't own (and that is read-only too), you can made it. See the
following "log":
martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chown root:root 'AC-DC -
Down Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 000 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
---------- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
Error opening input file 'AC-DC - Down Payment Blues.ogg'.
martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 400 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-r-------- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
Error opening input file 'AC-DC - Down Payment Blues.ogg'.
martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 440 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-r--r----- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
Error opening input file 'AC-DC - Down Payment Blues.ogg'.
martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 444 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-r--r--r-- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-rw-r--r-- 1 martintxo martintxo 2765151 2006-06-26 16:08 AC-DC - Down
Payment Blues.ogg
In the last try, with a file that is owned to root, and read-only by all
users, a normal user (martintxo) can edit the tags, and the file pass to be
owned by he.
I think that it may be a security hole, but I'm not a programmer.
Thanks for all the work in Debian. Excuse my bad english. Regards.
Martintxo.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.20-ck7
Locale: LANG=eu_ES, LC_CTYPE=eu_ES (charmap=ISO-8859-1)
Versions of packages vorbis-tools depends on:
ii libao2 0.8.6-1 Cross Platform Audio Output
ii libc6 2.3.2.ds1-22 GNU C Library: Shared
ii libcurl3 7.13.2-2 Multi-protocol file transfer
ii libflac6 1.1.1-5 Free Lossless Audio Codec -
ii libidn11 0.5.13-1.0 GNU libidn library,
ii libogg0 1.1.2-1 Ogg Bitstream Library
ii liboggflac1 1.1.1-5 Free Lossless Audio Codec -
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii libvorbis0a 1.1.0-1 The Vorbis General Audio
ii libvorbisenc2 1.1.0-1 The Vorbis General Audio
ii libvorbisfile3 1.1.0-1 The Vorbis General Audio
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
More information about the pkg-xiph-maint
mailing list