[SECURITY] [DLA 2246-1] xawtv security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : xawtv
Version : 3.103-3+deb8u1
CVE ID : CVE-2020-13696
Debian Bug : 962221
An issue was discovered in LinuxTV xawtv before 3.107. The function
dev_open() in v4l-conf.c does not perform sufficient checks to
prevent an unprivileged caller of the program from opening unintended
filesystem paths. This allows a local attacker with access to the
v4l-conf setuid-root program to test for the existence of arbitrary
files and to trigger an open on arbitrary files with mode O_RDWR.
To achieve this, relative path components need to be added to the
device path, as demonstrated by a
v4l-conf -c /dev/../root/.bash_history command.
For Debian 8 "Jessie", this problem has been fixed in version
3.103-3+deb8u1.
We recommend that you upgrade your xawtv packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl7jfDAACgkQgj6WdgbD
S5Z9nxAAohll8Pc6bLuGLjjV9ISTBiAsDvTtiuwzSPyRJ854dRI3Vy2GdYK9w4Vw
h69dVGWAaLIlfx10gLcEv6Oh7vnWo6P6YTWzy6EMkNCG/Pc5I4aieu8LRsGwojGN
ofDHTovj0DRuaZRanI/IGLOyG+b4VApyR/6LR1+2+NgyiBobaj1tchqjehkE0RH+
xAwjqZjUIufv5PVU/xHtfudzVtGvowzQsV0WcngZUPSDPbFH47zhJP0GO/DQVQwT
gDf8BK1f45mh4XMaIIJdk8BTTu5SNJWmzTTi4IBDdVCVUiAX+nH6yOupgtzIWFbm
UysAlMrZt2IfjCVoFCgi2xyk/viD7tGpczsNdUECcQ5gbldX4DIy0O37Hv3qackA
my7qrNS6cK8fKtY+mjn4CJhXoef2KnY7/gJIhwCasgAoTtTr5pZH48rR0DZGXCVl
vJaq6XWtwNDd9c5bI/PBr91cdR6TUGvakVlcLSEewb3yqlq9E2/6ZBjpqSQLqY6m
SFylBXsQBKyXo+KnTrENc3QXcX/aeqTF5XtvvPGc5HoOpJNutJACbF/7yLpNl2xS
2DRagGVg3X25WHV3+1JS6VUjk4oOuFqXqH77HcZylQRrbgL2Vf7gcjt+dK0Pbedc
h/38EeVFxseCBus87hXksiug3Ql5ildOCGAKikMVQdaW0+lBees=
=yCLm
-----END PGP SIGNATURE-----
Reply to: