[36522] in bugtraq
Re: cdrecord local root exploit
daemon@ATHENA.MIT.EDU (Marcus Meissner)
Thu Sep 16 10:10:36 2004
Date: Wed, 15 Sep 2004 13:15:45 +0200
From: Marcus Meissner <meissner@suse.de>
To: Fix Address <hidden@paradise.net.nz>
Cc: Sean Davis <dive@endersgame.net>, newbug Tseng <newbug@chroot.org>,
bugtraq@securityfocus.com
Message-ID: <20040915111545.GB10579@suse.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="9zSXsLTf0vkW971A"
Content-Disposition: inline
In-Reply-To: <20040914015151.GB6716@paradise.net.nz>
--9zSXsLTf0vkW971A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 14, 2004 at 01:51:51PM +1200, Volker Kuhlmann wrote:
> > > echo "cdr-exp.sh -- CDRecord local exploit ( Tested on cdrecord-2.01-=
0.a27.2mdk + Mandrake10)"
>=20
> > I don't see how this is a bug in cdrecord. It's a bug in Mandrake, caus=
ed by
> > shipping cdrecord setuid root. You could do the same thing with CVS (set
> > CVS_RSH to /tmp/s) if your distribution was dumb enough to ship cvs set=
uid
> > root, I would think, yet that wouldn't be a bug in CVS.
>=20
> The author of cdrecord obstinately argues that cdrecord must be
> installed suid root, and is explicitly recommended. Especially SuSE,
> who does not install cdrecord suid root, has taken a lot of flak over
> this lately (investigate special SuSE copyright in versions 2.01a36 to
> 40 or so). It also seems that kernel 2.6.8 has changes included which
> make it impossible(?) not to run cdrecord suid root. Seems like a
> downhill to me but I'm not really qualified to comment.
This has been fixed later on at least.
> In any case it would be inappropriate to call it a bug "in cdrecord"
> when only testing the Mdk version, esp given the amount of patching
> applied by Mdk. First test a vanilla cdrecord, then other distros.
SUSE is btw not affected, since we have (as previously discussed), patched
cdrecord. ;)
Ciao, Marcus
--9zSXsLTf0vkW971A
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBSCRh6nvzlwF1Yj4RAoUNAKCKRfIDZRPT90aKDtETkJQlJPy2sgCgnihS
kU6vg/LsuU1CSAWgBsfWRus=
=yH2r
-----END PGP SIGNATURE-----
--9zSXsLTf0vkW971A--
