Bug#375534: vorbis-tools: Vorbiscoment changes the owner and permissions of the ogg file.

Martintxo martintxo at sindominio.net
Mon Jun 26 15:04:47 UTC 2006 

Package: vorbis-tools
Version: 1.0.1-1.3
Severity: grave
Justification: user security hole
Tags: security

Hello:

I encountered this problem taggin some ogg and mp3 files with easytag, and
later tagtool, both from Sarge (my sistem is a Sarge environment, with a
few packages upgraded, and NO security upgrades :-/).  So I test if it
appears too in the vorbiscoment command line tool, and I see that it is
affected too. So I don't know "where" to send this bugreport (I choose
vorbis-tools, but maybe there are another packages involved). 

The problem NOT appears when taggin mp3 files, only ogg.

The problem may be resolved at this moment by the security system, but I
searched the BTS web interface and no encountered any reference to it. If
it is so, forget this report (and, if you can and it is easy, email me a
patch :-D). 

The problem is that if you try to edit the vorbis tags of a ogg file that
you don't own (and that is read-only too), you can made it. See the
following "log":

martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chown root:root 'AC-DC -
Down Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 000 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
----------  1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
Error opening input file 'AC-DC - Down Payment Blues.ogg'.

martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 400 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-r--------  1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
Error opening input file 'AC-DC - Down Payment Blues.ogg'.

martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 440 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-r--r-----  1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
Error opening input file 'AC-DC - Down Payment Blues.ogg'.

martintxo at fundy:~/Musica/AC-DC - Powerage$ sudo chmod 444 'AC-DC - Down
Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-r--r--r--  1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment
Blues.ogg
martintxo at fundy:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No
One You Know' 'AC-DC - Down Payment Blues.ogg'
martintxo at fundy:~/Musica/AC-DC - Powerage$ ls -l
total 2708
-rw-r--r--  1 martintxo martintxo 2765151 2006-06-26 16:08 AC-DC - Down
Payment Blues.ogg

In the last try, with a file that is owned to root, and read-only by all
users, a normal user (martintxo) can edit the tags, and the file pass to be
owned by he.

I think that it may be a security hole, but I'm not a programmer.

Thanks for all the work in Debian. Excuse my bad english. Regards.
Martintxo.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.20-ck7
Locale: LANG=eu_ES, LC_CTYPE=eu_ES (charmap=ISO-8859-1)

Versions of packages vorbis-tools depends on:
ii  libao2                      0.8.6-1      Cross Platform Audio Output
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared
ii  libcurl3                    7.13.2-2     Multi-protocol file transfer
ii  libflac6                    1.1.1-5      Free Lossless Audio Codec -
ii  libidn11                    0.5.13-1.0   GNU libidn library,
ii  libogg0                     1.1.2-1      Ogg Bitstream Library
ii  liboggflac1                 1.1.1-5      Free Lossless Audio Codec -
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  libvorbis0a                 1.1.0-1      The Vorbis General Audio
ii  libvorbisenc2               1.1.0-1      The Vorbis General Audio
ii  libvorbisfile3              1.1.0-1      The Vorbis General Audio
ii  zlib1g                      1:1.2.2-4    compression library - runtime

-- no debconf information

More information about the pkg-xiph-maint mailing list