On 2020-07-06, at 19:11:09 +0000, Vasyl Gello wrote: > July 6, 2020 6:58:05 PM UTC, Mattia Rizzolo <mat...@debian.org> написав(-ла): > > On Mon, Jul 06, 2020 at 05:10:30AM +0000, Vasyl Gello wrote: > > > Thanks for contributing the security release! I checked your > > > changes and pushed them to the team repo. I do not have an upload > > > rights, so CCing Sebastian and Mattia. > > > > Also, the commit adding the CVE patch mentions "partial fix", as > > does the sec-tracker page. Can anybody explain shortly what's with > > that, where is the full fix (if there is), and how come the LTS > > upload claims this to be fully fixed instead (CCing the LTS team and > > the uploader for this). > > By partial I understood that upstream fixed the core part but the > Debian patch sjould have been adapted to reflect new changes. > > Jeremy, can you please correct me if I am wrong?
v4l-conf is seteuid-root and is intended to be used to probe video
devices under /dev. The path is given as a command-line argument and
the only validation that used to be done was a check that it began with
"/dev". This means an unprivileged user could test for the existence of
arbitrary files outside /dev and open them:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: wrong device
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
can't open /dev/../root/.abshrc: No such file or directory
The new upstream release added extra checks to ensure that the object at
the end of the path is a device file of the right sort before opening
it:
/* First check if the device is really a devnode of the right type */
if (-1 == stat(device, &stb)) {
fprintf(stderr, "stat(%s): %s\n", device, strerror(errno));
exit(1);
}
if (!S_ISCHR(stb.st_mode) || (major(stb.st_rdev) != major)) {
fprintf(stderr, "%s: wrong device\n", device);
exit(1);
}
However, the error messages still leak information, allowing the user to
test for the existence of arbitrary files:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: wrong device
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
stat(/dev/../root/.abshrc): No such file or directory
The patch changes the error messages to prevent this:
$ v4l-conf -f -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bashrc: invalid path or file is not of the right type
$ v4l-conf -f -c /dev/../root/.abshrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.abshrc: invalid path or file is not of the right type
J.
signature.asc
Description: PGP signature
