On 2020-07-06, at 19:11:09 +0000, Vasyl Gello wrote:
> July 6, 2020 6:58:05 PM UTC, Mattia Rizzolo <mattia@debian.org> написав(-ла):
> > On Mon, Jul 06, 2020 at 05:10:30AM +0000, Vasyl Gello wrote:
> > > Thanks for contributing the security release! I checked your
> > > changes and pushed them to the team repo. I do not have an upload
> > > rights, so CCing Sebastian and Mattia.
> >
> > Also, the commit adding the CVE patch mentions "partial fix", as
> > does the sec-tracker page. Can anybody explain shortly what's with
> > that, where is the full fix (if there is), and how come the LTS
> > upload claims this to be fully fixed instead (CCing the LTS team and
> > the uploader for this).
>
> By partial I understood that upstream fixed the core part but the
> Debian patch sjould have been adapted to reflect new changes.
>
> Jeremy, can you please correct me if I am wrong?
v4l-conf is seteuid-root and is intended to be used to probe video
devices under /dev. The path is given as a command-line argument and
the only validation that used to be done was a check that it began with
"/dev". This means an unprivileged user could test for the existence of
arbitrary files outside /dev and open them:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: wrong device
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
can't open /dev/../root/.abshrc: No such file or directory
The new upstream release added extra checks to ensure that the object at
the end of the path is a device file of the right sort before opening
it:
/* First check if the device is really a devnode of the right type */
if (-1 == stat(device, &stb)) {
fprintf(stderr, "stat(%s): %s\n", device, strerror(errno));
exit(1);
}
if (!S_ISCHR(stb.st_mode) || (major(stb.st_rdev) != major)) {
fprintf(stderr, "%s: wrong device\n", device);
exit(1);
}
However, the error messages still leak information, allowing the user to
test for the existence of arbitrary files:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: wrong device
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
stat(/dev/../root/.abshrc): No such file or directory
The patch changes the error messages to prevent this:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: invalid path or file is not of the right type
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.abshrc: invalid path or file is not of the right type
J.
Attachment:
signature.asc
Description: PGP signature