From 74bc5a766088185e79c6d7eae0d37e9266881a5a Mon Sep 17 00:00:00 2001
From: Doug Torrance <dtorrance@piedmont.edu>
Date: Mon, 1 Feb 2016 00:45:10 -0500
Subject: [PATCH] wmtv: Fix security hole.

Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>.  From [1]:

   From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>
   To: Debian Bug Tracking System <submit@bugs.debian.org>
   Subject: wmtv: dangerous suid root
   Date: Thu, 08 Nov 2001 20:07:52 +0100

   Hi !
   I think there is a huge security hole with wmtv and, when wmtv is installed,
   anyone can easily get a root account. Here is what I have in my terminal:
   (everytime I launch wmtv, I double-clicked in the tv subwindow to call the
   external program)

   ----------------------------------------------------------------------
   Tintin:~> wmtv -e whoami
   root
   Tintin:~> cat > crack_root.sh
   #!/bin/sh
   cp /bin/sh /tmp
   chmod u+s /tmp/sh
   Tintin:~> chmod +x crack_root.sh
   Tintin:~> wmtv -e ~/crack_root.sh
   Tintin:~> ll /tmp/sh
   -rwsr-xr-x    1 root     users      407356 Nov  8 19:25 /tmp/sh*
   ----------------------------------------------------------------------

   I tried to make wmtv non-suid root, and... sometimes it works (despite an
   error message), sometimes it does not...

   ----------------------------------------------------------------------
   Tintin:~> ll /usr/bin/X11/wmtv
   -rwxr-xr-x    1 root     root        62588 Jul 31 01:55 /usr/bin/X11/wmtv*
   Tintin:~> wmtv
   ioctl VIDIOCSFBUF: Operation not permitted

   Tintin:~> wmtv
   ioctl VIDIOCSFBUF: Operation not permitted
   wmtv: no physical frame buffer access
   ----------------------------------------------------------------------

   Hence, I guess you should either correct wmtv so that it always work without
   being suid root, or make wmtv lose its privileges before it runs an external
   program.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
---
 wmtv/src/wmtv.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/wmtv/src/wmtv.c b/wmtv/src/wmtv.c
index d2998f5..7e2d663 100644
--- a/wmtv/src/wmtv.c
+++ b/wmtv/src/wmtv.c
@@ -249,7 +249,7 @@ main(int argc, char *argv[])
 					break;
 				case 'e':
 					exe = strdup(optarg);
-					strcat(exe, " &");
+					/* strcat(exe, " &"); */
 					break;
 				case 'b':
 					fprintf(stderr, "wmtv: option not implemented yet\n");
@@ -439,7 +439,17 @@ main(int argc, char *argv[])
 													if (exe) {
 														ntfb_status = SETOFF;
 														TVOff();
-														system(exe);
+														/* system(exe); */
+														if (fork() == (pid_t) 0) {
+														char *argv[4];
+														setuid(getuid()); /* Drop the privileges */
+														argv[0] = "sh";
+														argv[1] = "-c";
+														argv[2] = exe;
+														argv[3] = NULL;
+														execv("/bin/sh", argv);
+														exit(-1);
+														}
 #if 0
 														pid = fork();
 
-- 
2.11.4.GIT