Package: vorbis-tools Version: 1.0.1-1.3 Severity: grave Justification: user security hole Tags: security
Hello: I encountered this problem taggin some ogg and mp3 files with easytag, and later tagtool, both from Sarge (my sistem is a Sarge environment, with a few packages upgraded, and NO security upgrades :-/). So I test if it appears too in the vorbiscoment command line tool, and I see that it is affected too. So I don't know "where" to send this bugreport (I choose vorbis-tools, but maybe there are another packages involved). The problem NOT appears when taggin mp3 files, only ogg. The problem may be resolved at this moment by the security system, but I searched the BTS web interface and no encountered any reference to it. If it is so, forget this report (and, if you can and it is easy, email me a patch :-D). The problem is that if you try to edit the vorbis tags of a ogg file that you don't own (and that is read-only too), you can made it. See the following "log": [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ sudo chown root:root 'AC-DC - Down Payment Blues.ogg' [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ sudo chmod 000 'AC-DC - Down Payment Blues.ogg' [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ ls -l total 2708 ---------- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment Blues.ogg [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No One You Know' 'AC-DC - Down Payment Blues.ogg' Error opening input file 'AC-DC - Down Payment Blues.ogg'. [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ sudo chmod 400 'AC-DC - Down Payment Blues.ogg' [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ ls -l total 2708 -r-------- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment Blues.ogg [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No One You Know' 'AC-DC - Down Payment Blues.ogg' Error opening input file 'AC-DC - Down Payment Blues.ogg'. [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ sudo chmod 440 'AC-DC - Down Payment Blues.ogg' [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ ls -l total 2708 -r--r----- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment Blues.ogg [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No One You Know' 'AC-DC - Down Payment Blues.ogg' Error opening input file 'AC-DC - Down Payment Blues.ogg'. [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ sudo chmod 444 'AC-DC - Down Payment Blues.ogg' [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ ls -l total 2708 -r--r--r-- 1 root root 2765123 2006-06-26 16:05 AC-DC - Down Payment Blues.ogg [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ vorbiscomment -a -t 'PRUEBA=No One You Know' 'AC-DC - Down Payment Blues.ogg' [EMAIL PROTECTED]:~/Musica/AC-DC - Powerage$ ls -l total 2708 -rw-r--r-- 1 martintxo martintxo 2765151 2006-06-26 16:08 AC-DC - Down Payment Blues.ogg In the last try, with a file that is owned to root, and read-only by all users, a normal user (martintxo) can edit the tags, and the file pass to be owned by he. I think that it may be a security hole, but I'm not a programmer. Thanks for all the work in Debian. Excuse my bad english. Regards. Martintxo. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.20-ck7 Locale: LANG=eu_ES, LC_CTYPE=eu_ES (charmap=ISO-8859-1) Versions of packages vorbis-tools depends on: ii libao2 0.8.6-1 Cross Platform Audio Output ii libc6 2.3.2.ds1-22 GNU C Library: Shared ii libcurl3 7.13.2-2 Multi-protocol file transfer ii libflac6 1.1.1-5 Free Lossless Audio Codec - ii libidn11 0.5.13-1.0 GNU libidn library, ii libogg0 1.1.2-1 Ogg Bitstream Library ii liboggflac1 1.1.1-5 Free Lossless Audio Codec - ii libssl0.9.7 0.9.7e-3 SSL shared libraries ii libvorbis0a 1.1.0-1 The Vorbis General Audio ii libvorbisenc2 1.1.0-1 The Vorbis General Audio ii libvorbisfile3 1.1.0-1 The Vorbis General Audio ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]