wmtv: Fix security hole.

Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>.  From [1]:

   From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>
   To: Debian Bug Tracking System <submit@bugs.debian.org>
   Subject: wmtv: dangerous suid root
   Date: Thu, 08 Nov 2001 20:07:52 +0100

   Hi !
   I think there is a huge security hole with wmtv and, when wmtv is installed,
   anyone can easily get a root account. Here is what I have in my terminal:
   (everytime I launch wmtv, I double-clicked in the tv subwindow to call the
   external program)

   ----------------------------------------------------------------------
   Tintin:~> wmtv -e whoami
   root
   Tintin:~> cat > crack_root.sh
   #!/bin/sh
   cp /bin/sh /tmp
   chmod u+s /tmp/sh
   Tintin:~> chmod +x crack_root.sh
   Tintin:~> wmtv -e ~/crack_root.sh
   Tintin:~> ll /tmp/sh
   -rwsr-xr-x    1 root     users      407356 Nov  8 19:25 /tmp/sh*
   ----------------------------------------------------------------------

   I tried to make wmtv non-suid root, and... sometimes it works (despite an
   error message), sometimes it does not...

   ----------------------------------------------------------------------
   Tintin:~> ll /usr/bin/X11/wmtv
   -rwxr-xr-x    1 root     root        62588 Jul 31 01:55 /usr/bin/X11/wmtv*
   Tintin:~> wmtv
   ioctl VIDIOCSFBUF: Operation not permitted

   Tintin:~> wmtv
   ioctl VIDIOCSFBUF: Operation not permitted
   wmtv: no physical frame buffer access
   ----------------------------------------------------------------------

   Hence, I guess you should either correct wmtv so that it always work without
   being suid root, or make wmtv lose its privileges before it runs an external
   program.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
This commit is contained in:
Doug Torrance 2016-02-01 00:45:10 -05:00 committed by Carlos R. Mafra
parent 199e0065fe
commit 74bc5a7660

View file

@ -249,7 +249,7 @@ main(int argc, char *argv[])
break; break;
case 'e': case 'e':
exe = strdup(optarg); exe = strdup(optarg);
strcat(exe, " &"); /* strcat(exe, " &"); */
break; break;
case 'b': case 'b':
fprintf(stderr, "wmtv: option not implemented yet\n"); fprintf(stderr, "wmtv: option not implemented yet\n");
@ -439,7 +439,17 @@ main(int argc, char *argv[])
if (exe) { if (exe) {
ntfb_status = SETOFF; ntfb_status = SETOFF;
TVOff(); TVOff();
system(exe); /* system(exe); */
if (fork() == (pid_t) 0) {
char *argv[4];
setuid(getuid()); /* Drop the privileges */
argv[0] = "sh";
argv[1] = "-c";
argv[2] = exe;
argv[3] = NULL;
execv("/bin/sh", argv);
exit(-1);
}
#if 0 #if 0
pid = fork(); pid = fork();