Bug#962221: Fixes for CVE-2020-13696 (#962221)
On Wed, Jul 08, 2020 at 09:07:25AM +0100, Jeremy Sowden wrote: ... > The new upstream release added extra checks to ensure that the object at > the end of the path is a device file of the right sort before opening > it: ... > However, the error messages still leak information, allowing the user to > test for the existence of arbitrary files: ... > The patch changes the error messages to prevent this: ... Oh, I think I understand now. So I reckon with the extra patch this CVE is fixed. I'm going to upload this soon :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
On 2020-07-06, at 19:11:09 +, Vasyl Gello wrote:
> July 6, 2020 6:58:05 PM UTC, Mattia Rizzolo написав(-ла):
> > On Mon, Jul 06, 2020 at 05:10:30AM +, Vasyl Gello wrote:
> > > Thanks for contributing the security release! I checked your
> > > changes and pushed them to the team repo. I do not have an upload
> > > rights, so CCing Sebastian and Mattia.
> >
> > Also, the commit adding the CVE patch mentions "partial fix", as
> > does the sec-tracker page. Can anybody explain shortly what's with
> > that, where is the full fix (if there is), and how come the LTS
> > upload claims this to be fully fixed instead (CCing the LTS team and
> > the uploader for this).
>
> By partial I understood that upstream fixed the core part but the
> Debian patch sjould have been adapted to reflect new changes.
>
> Jeremy, can you please correct me if I am wrong?
v4l-conf is seteuid-root and is intended to be used to probe video
devices under /dev. The path is given as a command-line argument and
the only validation that used to be done was a check that it began with
"/dev". This means an unprivileged user could test for the existence of
arbitrary files outside /dev and open them:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: wrong device
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
can't open /dev/../root/.abshrc: No such file or directory
The new upstream release added extra checks to ensure that the object at
the end of the path is a device file of the right sort before opening
it:
/* First check if the device is really a devnode of the right type */
if (-1 == stat(device, )) {
fprintf(stderr, "stat(%s): %s\n", device, strerror(errno));
exit(1);
}
if (!S_ISCHR(stb.st_mode) || (major(stb.st_rdev) != major)) {
fprintf(stderr, "%s: wrong device\n", device);
exit(1);
}
However, the error messages still leak information, allowing the user to
test for the existence of arbitrary files:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: wrong device
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
stat(/dev/../root/.abshrc): No such file or directory
The patch changes the error messages to prevent this:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: invalid path or file is not of the right type
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.abshrc: invalid path or file is not of the right type
J.
signature.asc
Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
Mattia, July 7, 2020 2:42:20 PM UTC, Vasyl Gello написав(-ла): >Got it! OK, let me do a quick fix for both issues and push additional commit. Commit is pushed, please try rebuilding the package! -- Vasyl Gello == Certified SolidWorks Expert Mob.:+380 (98) 465 66 77 E-Mail: vasek.ge...@gmail.com Skype: vasek.gello == 호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다 signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
Hi Mattia! July 7, 2020 2:25:37 PM UTC, Mattia Rizzolo написав(-ла): >..however it fails to build :) > > dh_auto_install > install -d /build/xawtv-3.107/debian/tmp > make -j4 install DESTDIR=/build/xawtv-3.107/debian/tmp > AM_UPDATE_INFO_DIR=no >make[1]: Entering directory '/build/xawtv-3.107' >/usr/bin/install -c -d -m 755 /build/xawtv-3.107/debian/tmp/usr/bin >/usr/bin/install -c console/dump-mixers console/record console/showriff >console/showqt console/streamer console/webcam console/scantv console/ttv >console/radio console/fbtv console/v4l-info >/build/xawtv-3.107/debian/tmp/usr/bin >/usr/bin/install -c -m4755 -o root console/v4l-conf >/build/xawtv-3.107/debian/tmp/usr/bin >/usr/bin/install: cannot change ownership of >'/build/xawtv-3.107/debian/tmp/usr/bin/v4l-conf': Operation not permitted >make[1]: *** [console/Subdir.mk:100: install] Error 1 >make[1]: Leaving directory '/build/xawtv-3.107' >dh_auto_install: error: make -j4 install DESTDIR=/build/xawtv-3.107/debian/tmp >AM_UPDATE_INFO_DIR=no returned exit code 2 >make: *** [debian/rules:6: binary] Error 25 >dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 > > >this is related to the addition of Rules-Requires-Root. When run >without fakeroot it's not possible to run such `chmod` commands. In >fact, they are most likely always wrong to run them anyway… I of course built the package but my buildsetup always uses fakeroot exactly to get rid of chown() calls. I will update Rules-Requires-Root to yes then. >In d/copyright, that boilerplate-y thing you copied into the Comment >field, IMHO you should just get rid of it. Also, it's missing many of >the years in the copyright claims: a copyright claim without a year is >at most an legal headache and at worst invalid. Got it! OK, let me do a quick fix for both issues and push additional commit. -- Vasyl Gello == Certified SolidWorks Expert Mob.:+380 (98) 465 66 77 E-Mail: vasek.ge...@gmail.com Skype: vasek.gello == 호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다 signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
On Mon, Jul 06, 2020 at 09:07:31PM +, Vasyl Gello wrote: > I pushed the modernized package however ..however it fails to build :) dh_auto_install install -d /build/xawtv-3.107/debian/tmp make -j4 install DESTDIR=/build/xawtv-3.107/debian/tmp AM_UPDATE_INFO_DIR=no make[1]: Entering directory '/build/xawtv-3.107' /usr/bin/install -c -d -m 755 /build/xawtv-3.107/debian/tmp/usr/bin /usr/bin/install -c console/dump-mixers console/record console/showriff console/showqt console/streamer console/webcam console/scantv console/ttv console/radio console/fbtv console/v4l-info /build/xawtv-3.107/debian/tmp/usr/bin /usr/bin/install -c -m4755 -o root console/v4l-conf /build/xawtv-3.107/debian/tmp/usr/bin /usr/bin/install: cannot change ownership of '/build/xawtv-3.107/debian/tmp/usr/bin/v4l-conf': Operation not permitted make[1]: *** [console/Subdir.mk:100: install] Error 1 make[1]: Leaving directory '/build/xawtv-3.107' dh_auto_install: error: make -j4 install DESTDIR=/build/xawtv-3.107/debian/tmp AM_UPDATE_INFO_DIR=no returned exit code 2 make: *** [debian/rules:6: binary] Error 25 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 this is related to the addition of Rules-Requires-Root. When run without fakeroot it's not possible to run such `chmod` commands. In fact, they are most likely always wrong to run them anyway… > there are two errors claiming two libs are not compiled against libc and > several > others missing requured prerequisites. I have not figured yet how to fix > these, > maybe you know? I'll see them when I can fully build the package ;) In d/copyright, that boilerplate-y thing you copied into the Comment field, IMHO you should just get rid of it. Also, it's missing many of the years in the copyright claims: a copyright claim without a year is at most an legal headache and at worst invalid. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
Hi Mattia! July 6, 2020 6:58:05 PM UTC, Mattia Rizzolo написав(-ла): >but could either of you do a bunch of housekeeping work as well, like: > * bumping dh compat > * drop --dbgsym-migration > * drop the .menu files > * would be awesome to have the copyright file rewrote using dep-5 > * I pushed the modernized package however if you check resulting Lintian report, there are two errors claiming two libs are not compiled against libc and several others missing requured prerequisites. I have not figured yet how to fix these, maybe you know? -- Vasyl Gello == Certified SolidWorks Expert Mob.:+380 (98) 465 66 77 E-Mail: vasek.ge...@gmail.com Skype: vasek.gello == 호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다 signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
Hi Mattia! By partial I understood that upstream fixed the core part but the Debian patch sjould have been adapted to reflect new changes. Jeremy, can you please correct me if I am wrong? -- Vasyl Gello == Certified SolidWorks Expert Mob.:+380 (98) 465 66 77 E-Mail: vasek.ge...@gmail.com Skype: vasek.gello == 호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다 July 6, 2020 6:58:05 PM UTC, Mattia Rizzolo написав(-ла): >On Mon, Jul 06, 2020 at 05:10:30AM +, Vasyl Gello wrote: >> Thanks for contributing the security release! I checked your changes and >> pushed them to the team repo. >> I do not have an upload rights, so CCing Sebastian and Mattia. > >Sure, > >but could either of you do a bunch of housekeeping work as well, like: > * bumping dh compat > * drop --dbgsym-migration > * drop the .menu files > * would be awesome to have the copyright file rewrote using dep-5 > * > >Also, the commit adding the CVE patch mentions "partial fix", as does >the sec-tracker page. Can anybody explain shortly what's with that, >where is the full fix (if there is), and how come the LTS upload claims >this to be fully fixed instead (CCing the LTS team and the uploader for >this). > >-- >regards, >Mattia Rizzolo > >GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. >More about me: https://mapreri.org : :' : >Launchpad user: https://launchpad.net/~mapreri `. `'` >Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
On Mon, Jul 06, 2020 at 05:10:30AM +, Vasyl Gello wrote: > Thanks for contributing the security release! I checked your changes and > pushed them to the team repo. > I do not have an upload rights, so CCing Sebastian and Mattia. Sure, but could either of you do a bunch of housekeeping work as well, like: * bumping dh compat * drop --dbgsym-migration * drop the .menu files * would be awesome to have the copyright file rewrote using dep-5 * Also, the commit adding the CVE patch mentions "partial fix", as does the sec-tracker page. Can anybody explain shortly what's with that, where is the full fix (if there is), and how come the LTS upload claims this to be fully fixed instead (CCing the LTS team and the uploader for this). -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#962221: Fixes for CVE-2020-13696 (#962221)
Hi Jeremy! Thanks for contributing the security release! I checked your changes and pushed them to the team repo. I do not have an upload rights, so CCing Sebastian and Mattia. -- Vasyl Gello == Certified SolidWorks Expert Mob.:+380 (98) 465 66 77 E-Mail: vasek.ge...@gmail.com Skype: vasek.gello == 호랑이는 죽어서 가죽을 남기고 사람은 죽어서 이름을 남긴다 signature.asc Description: PGP signature
