Package: xmcd Version: 2.6-17.1 Severity: grave Tags: security patch Justification: causes non-serious data loss
Symptoms: /usr/sbin/xmcdconfig creates directories world-writeable below /var/lib/cddb and /var/lib/xmcd/discog Risk: unprivileged users (including any subverted PHP-script running as "nobody") can fill up the filesystem, or delete all my collected cddb discography data. This bug has been noticed before, and attempted fixes are already present in the postinsts for cddb and xmcd - the permissions they're aiming at are the much saner "root:audio 03775". Unfortunately, /usr/sbin/xmcdconfig may be run _after_ these install-time chmod-Rs, and it explicitly sets: OWNER=root GROUP=root CDIRPERM=777 ...then calls "make_dir $CDDBDIR/$i $CDIRPERM $OWNER $GROUP" and "make_dir $DISCOGDIR/$i $CDIRPERM $OWNER $GROUP". Since xmcdconfig starts out as $SOURCE/libdi_d/config.sh, you'd think it would be easy to fix. Alas, those OWNER and GROUP lines are initially set to =bin, then munged by a sed invocation in $SOURCE/install.sh to match the $OWNER and $GROUP used everywhere else in the install process. In other words, I don't see a clean and simple patch. So here's an ugly one. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i586) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16.xamanek Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages xmcd depends on: ii cddb 2.6-17.1 CD DataBase support tools ii lesstif1 1:0.93.94-12 OSF/Motif 1.2 implementation relea ii libc6 2.3.6-7 GNU C Library: Shared libraries ii libncurses5 5.5-1.1 Shared libraries for terminal hand ii libx11-6 6.9.0.dfsg.1-6 X Window System protocol client li ii libxt6 6.9.0.dfsg.1-6 X Toolkit Intrinsics ii zlib1g 1:1.2.3-11 compression library - runtime -- no debconf information -- JBR Ankh kak! (Ancient Egyptian blessing)
diff -ru xmcd-2.6.pristine/libdi_d/config.sh xmcd-2.6/libdi_d/config.sh --- xmcd-2.6.pristine/libdi_d/config.sh 2006-05-10 15:54:17.000000000 +0100 +++ xmcd-2.6/libdi_d/config.sh 2006-05-10 18:53:26.000000000 +0100 @@ -46,9 +46,10 @@ SCRDIR=$XMCDLIB/scripts SITES=$CFGDIR/sites TBLDIR=$XMCDLIB/tbl -OWNER=bin -GROUP=bin -CDIRPERM=777 +# permissions variables bypassed: +# OWNER=bin +# GROUP=bin +# CDIRPERM=777 DFLT_CGIPATH='/~cddb/cddb.cgi' CDDBCATS="rock jazz blues newage classical reggae folk country soundtrack misc data" BROWSERS="mozilla netscape Mosaic" @@ -1352,11 +1353,11 @@ then for i in $CDDBCATS do - make_dir $CDDBDIR/$i $CDIRPERM $OWNER $GROUP + make_dir $CDDBDIR/$i 03775 root audio done for i in $CDDBCATS do - make_dir $DISCOGDIR/$i $CDIRPERM $OWNER $GROUP + make_dir $DISCOGDIR/$i 03775 root audio done if [ -x $XMCDLIB/scripts/genidx ] then