Bug#13985: marked as done (svgalibg1: mouse does not work in any svgalib programs, unless I launch them as root)
Your message dated Fri, 24 May 2002 03:17:21 -0400
with message-id <E17B9KD-0006nB-00@auric.debian.org>
and subject line Bug#13985: fixed in svgalib 1:1.4.3-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Oct 1997 04:07:56 +0000
Received: (qmail 21419 invoked from network); 19 Oct 1997 04:07:53 -0000
Received: from kite.ml.org (qmailr@kite.ml.org@206.228.243.193)
by 205.229.104.5 with SMTP; 19 Oct 1997 04:07:53 -0000
Received: (qmail 32105 invoked by uid 500); 19 Oct 1997 04:11:44 -0000
Date: 19 Oct 1997 04:11:43 -0000
Message-ID: <19971019041143.32104.qmail@kite.ml.org>
From: Joey Hess <joey@kite.ml.org>
Subject: svgalibg1: mouse does not work in any svgalib programs, unless I launch them as root
To: submit@bugs.debian.org
X-Mailer: bug 2.95
Package: svgalibg1
Version: 1:1.2.11-1
I first noticed this in abuse and maelstrom, then in xaos. Now I'm pretty
sure it applies to all svgalib program using this version of the svgalib
library.
If I log in as root and run one of these programs, then the (serial) mouse
works. If I log in as any other user, the mouse cursor doesn't move.
I'm pretty sure what's doing it is that vga_init() gives up the suid root
permissions when it is called, and the mouse device has not yet been opened.
Since only root can access the mouse device, the later mouse initialization
fails.
In abuse, I hacked together a solution that I'm ashamed to speak of. Here it
is:
setuid(geteuid());
setgid(getegid());
...
vga_init();
I hope that the svgalib library can be fixed so this sort of hack isn't
necessary any more to make the mouse work right. If not, do you have any
better ideas for the correct thing to do to work around svgalib's behavior,
that don't open gaping security holes like my hack above probably does?
BTW, it seems that svgalib is also calling setegid(getgid()) in vga_init.
This causes lots of problems with svgalib games that are, for example,
installed, sgid games so they can write to their high score files. Of
course, all these programs can be fixed to preserve the egid and restore it
after vga_init() is called - except squake can't be fixed this way since no
source is available.
Would it be possible to modify svgalib so it did something like this:
if (getgid() == 0)
setegid(getgid());
-- System Information
Debian Release: 1.3
Kernel Version: Linux kite 2.0.31 #1 Fri Oct 17 21:29:02 EDT 1997 i586 unknown
Versions of the packages svgalibg1 depends on:
libc6 Version: 2.0.5c-0.1
--- Begin /etc/vga/libvga.config (modified conffile)
mouse MouseSystems
HorizSync 30 83
VertRefresh 50 121
chipset S3 # S3 chipsets
colortext
--- End /etc/vga/libvga.config
---------------------------------------
Received: (at 13985-close) by bugs.debian.org; 24 May 2002 07:38:27 +0000
>From katie@auric.debian.org Fri May 24 02:38:27 2002
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17B9ed-0005vQ-00; Fri, 24 May 2002 02:38:27 -0500
Received: from katie by auric.debian.org with local (Exim 3.12 1 (Debian))
id 17B9KD-0006nB-00; Fri, 24 May 2002 03:17:21 -0400
From: Robert Luberda <robert@debian.org>
To: 13985-close@bugs.debian.org
X-Katie: $Revision: 1.21 $
Subject: Bug#13985: fixed in svgalib 1:1.4.3-8
Message-Id: <E17B9KD-0006nB-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Fri, 24 May 2002 03:17:21 -0400
Delivered-To: 13985-close@bugs.debian.org
We believe that the bug you reported is fixed in the latest version of
svgalib, which is due to be installed in the Debian FTP archive:
svgalib-bin_1.4.3-8_i386.deb
to pool/main/s/svgalib/svgalib-bin_1.4.3-8_i386.deb
svgalib1-altdev_1.4.3-8_i386.deb
to pool/main/s/svgalib/svgalib1-altdev_1.4.3-8_i386.deb
svgalib1_1.4.3-8_i386.deb
to pool/main/s/svgalib/svgalib1_1.4.3-8_i386.deb
svgalib_1.4.3-8.diff.gz
to pool/main/s/svgalib/svgalib_1.4.3-8.diff.gz
svgalib_1.4.3-8.dsc
to pool/main/s/svgalib/svgalib_1.4.3-8.dsc
svgalibg1-dev_1.4.3-8_i386.deb
to pool/main/s/svgalib/svgalibg1-dev_1.4.3-8_i386.deb
svgalibg1_1.4.3-8_i386.deb
to pool/main/s/svgalib/svgalibg1_1.4.3-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 13985@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Luberda <robert@debian.org> (supplier of updated svgalib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 May 2002 08:26:20 +0200
Source: svgalib
Binary: svgalib1 svgalib1-altdev svgalibg1-dev svgalib-bin svgalibg1
Architecture: source i386
Version: 1:1.4.3-8
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Robert Luberda <robert@debian.org>
Description:
svgalib-bin - Console SVGA display utilities
svgalib1 - SVGA display utilities [libc5 compat]
svgalib1-altdev - Shared, non-x, graphics library used by Ghostscript et al.
svgalibg1 - Console SVGA display utilities
svgalibg1-dev - Shared, non-x, graphics library used by Ghostscript et al.
Closes: 13985 47060 143181
Changes:
svgalib (1:1.4.3-8) unstable; urgency=low
.
* QA upload.
.
* Install updated r128 driver. Quoted from upstream homepage:
` The r128 driver in 1.4.3 has serious bugs that might cause system hang
on console switch and sync lose on some mode changes. Please use this
driver, r128.c, instead of the one in the distribution.'
* Svgalib programs can use the mouse device even when the device is only readable
by root since svgalib version 1.4.2 (closes: #13985, #47060).
* Fix typo in libvga.config (closes: #143181).
.
* Repackaged with debhelper v4.
* Don't use dpkg-statoverride or suid(un)register, just install some
programs suid.
* Package svgalib-bin: 'Conflicts: suidregister (<< 0.52)'.
* debian/control: use ${shlibs:Depends}, ${misc:Depends} and ${perl:Depends}
to get proper, versioned dependencies.
* Add linitan override files for setuid binaries and /usr/i486-linuxlibc1
directory. All packages are lintian clean now.
Files:
a47747d00f33d55534d8091f9ff30be0 651 graphics optional svgalib_1.4.3-8.dsc
4f8446083cd16cbbace809a370b04fd6 37415 graphics optional svgalib_1.4.3-8.diff.gz
2f112546a113332349e874b9e44093e4 22150 graphics optional svgalib-bin_1.4.3-8_i386.deb
938f1ee18c5af54a8941dc0b73eeac98 307122 libs optional svgalibg1_1.4.3-8_i386.deb
313031d161b5653292571c558ecdb331 585420 devel optional svgalibg1-dev_1.4.3-8_i386.deb
c700b4b5f5cf7d746fa58aeda43963ff 179418 oldlibs optional svgalib1_1.4.3-8_i386.deb
864286a45d3a324bf5c407cc6487c930 236024 oldlibs extra svgalib1-altdev_1.4.3-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE87VZ+Thh1cJ0wnDsRAm3aAJ9H323cNhhsob20frPw9l0VIsbj+gCfbKmo
lqUbIrnUR80eRKdSGQGbSxM=
=UdFL
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-qa-packages-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: