|
Vulnerability esound Affected Those running esound Description Following is based on a FreeBSD-SA-00:45 Security Advisory by FreeBSD. EsounD is a component of the GNOME desktop environment which is responsible for multiplexing access to audio devices. The esound port, versions 0.2.19 and earlier, creates a world-writable directory in /tmp owned by the user running the EsounD session, which is used for the storage of a unix domain socket. A race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable. This can give the attacker access to the victim's account, or lead to a system compromise if esound is run by root. The esound port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection. Local users can cause files or directories owned by the target user to become world-writable when that user runs the esd daemon (e.g. by starting a GNOME session), allowing a security breach of that user account (or the entire system if esd is run by root) If you have not chosen to install the esound port/package, then your system is not vulnerable to this problem. Solution Deinstall the esound port/package, if you have installed it (see the pkg_delete(1) manual page for more information). Solution is one of the following: 1) Upgrade your entire ports collection and rebuild the esound port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/esound-0.2.19.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/esound-0.2.19.tgz 3) download a new port skeleton for the esound port from: http://www.freebsd.org/ports/ and use it to rebuild the port. For Linux Mandrake: Linux-Mandrake 6.0: 6.0/RPMS/esound-0.2.17-3mdk.i586.rpm 6.0/RPMS/esound-devel-0.2.17-3mdk.i586.rpm 6.0/SRPMS/esound-0.2.17-3mdk.src.rpm Linux-Mandrake 6.1: 6.1/RPMS/esound-0.2.17-3mdk.i586.rpm 6.1/RPMS/esound-devel-0.2.17-3mdk.i586.rpm 6.1/SRPMS/esound-0.2.17-3mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/esound-0.2.17-3mdk.i586.rpm 7.0/RPMS/esound-devel-0.2.17-3mdk.i586.rpm 7.0/SRPMS/esound-0.2.17-3mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/esound-0.2.17-3mdk.i586.rpm 7.1/RPMS/esound-devel-0.2.17-3mdk.i586.rpm 7.1/SRPMS/esound-0.2.17-3mdk.src.rpm For RedHat: ftp://updates.redhat.com/6.2/alpha/esound-0.2.20-0.alpha.rpm ftp://updates.redhat.com/6.2/alpha/esound-devel-0.2.20-0.alpha.rpm ftp://updates.redhat.com/6.2/sparc/esound-0.2.20-0.sparc.rpm ftp://updates.redhat.com/6.2/sparc/esound-devel-0.2.20-0.sparc.rpm ftp://updates.redhat.com/6.2/i386/esound-0.2.20-0.i386.rpm ftp://updates.redhat.com/6.2/i386/esound-devel-0.2.20-0.i386.rpm ftp://updates.redhat.com/6.2/SRPMS/esound-0.2.20-0.src.rpm ftp://updates.redhat.com/7.0/i386/esound-0.2.20-1.i386.rpm ftp://updates.redhat.com/7.0/i386/esound-devel-0.2.20-1.i386.rpm ftp://updates.redhat.com/7.0/SRPMS/esound-0.2.20-1.src.rpm For Immunix OS 6.2 (StackGuarded versions of the RedHat packages): http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-0.2.20-0_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-devel-0.2.20-0_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/esound-0.2.20-0_StackGuard.src.rpm Debian is not affected by this bug; the bug is specific to the unix domain socket support, which was turned off in stable (2.2/potato) and unstable (woody) on February 16, 2000. Therefore neither the current stable or unstable distribution of Debian is vulnerable to this problem. Debian 2.1 (aka "slink") is also not vulnerable to this problem; the version of esound in Debian 2.1 is 0.2.6, which predates the buggy unix domain socket code. For SuSE Linux: SuSE-7.0: ftp://ftp.suse.com/pub/suse/i386/update/7.0/snd1/esound-0.2.19-15.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/esound-0.2.19-15.src.rpm SuSE-6.4: ftp://ftp.suse.com/pub/suse/i386/update/6.4/snd1/esound-0.2.16-75.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/esound-0.2.16-75.src.rpm SuSE-6.3: ftp://ftp.suse.com/pub/suse/i386/update/6.3/snd1/esound-0.2.15-21.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/esound-0.2.15-21.src.rpm SuSE-7.0: ftp://ftp.suse.com/pub/suse/sparc/update/7.0/snd1/esound-0.2.19-15.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/esound-0.2.19-15.src.rpm SuSE-6.4: ftp://ftp.suse.com/pub/suse/axp/update/6.4/snd1/esound-0.2.16-75.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/esound-0.2.16-75.src.rpm SuSE-6.3: ftp://ftp.suse.com/pub/suse/axp/update/6.3/snd1/esound-0.2.15-21.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/esound-0.2.15-21.src.rpm SuSE-7.0: ftp://ftp.suse.com/pub/suse/ppc/update/7.0/snd1/esound-0.2.19-16.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/esound-0.2.19-16.src.rpm SuSE-6.4: ftp://ftp.suse.com/pub/suse/ppc/update/6.4/snd1/esound-0.2.16-75.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/esound-0.2.16-75.src.rpm Here's a patch that fixes the vulnerability in the esound package (0.2.19 and prior): --- esd.h.orig Thu Jun 29 23:12:53 2000 +++ esd.h Thu Jun 29 23:12:41 2000 @@ -7,8 +7,15 @@ #endif /* path and name of the default EsounD domain socket */ +#if 0 #define ESD_UNIX_SOCKET_DIR "/tmp/.esd" #define ESD_UNIX_SOCKET_NAME ESD_UNIX_SOCKET_DIR ## "/" ## "socket" +#else +char *esd_unix_socket_dir(void); +char *esd_unix_socket_name(void); +#define ESD_UNIX_SOCKET_DIR esd_unix_socket_dir() +#define ESD_UNIX_SOCKET_NAME esd_unix_socket_name() +#endif /* length of the audio buffer size */ #define ESD_BUF_SIZE (4 * 1024) --- esd.c.orig Tue Apr 4 11:20:08 2000 +++ esd.c Thu Jun 29 23:34:18 2000 @@ -219,12 +219,12 @@ { mkdir(ESD_UNIX_SOCKET_DIR, S_IRUSR|S_IWUSR|S_IXUSR| - S_IRGRP|S_IWGRP|S_IXGRP| - S_IROTH|S_IWOTH|S_IXOTH); + S_IRGRP|S_IXGRP| + S_IROTH|S_IXOTH); chmod(ESD_UNIX_SOCKET_DIR, S_IRUSR|S_IWUSR|S_IXUSR| - S_IRGRP|S_IWGRP|S_IXGRP| - S_IROTH|S_IWOTH|S_IXOTH); + S_IRGRP|S_IXGRP| + S_IROTH|S_IXOTH); } if (access(ESD_UNIX_SOCKET_NAME, R_OK | W_OK) == -1) { @@ -317,9 +317,9 @@ /* let anyone access esd's socket - but we have authentication so they */ /* wont get far if they dont have the auth key */ chmod(ESD_UNIX_SOCKET_NAME, - S_IRUSR|S_IWUSR|S_IXUSR| - S_IRGRP|S_IWGRP|S_IXGRP| - S_IROTH|S_IWOTH|S_IXOTH); + S_IRUSR|S_IWUSR| + S_IRGRP| + S_IROTH); } if (listen(socket_listen,16)<0) { --- esdlib.c.orig Thu Jun 29 23:31:04 2000 +++ esdlib.c Thu Jun 29 23:31:21 2000 @@ -19,6 +19,8 @@ #include <arpa/inet.h> #include <errno.h> #include <sys/wait.h> +#include <pwd.h> +#include <limits.h> #include <sys/un.h> @@ -1421,4 +1423,34 @@ */ return close( esd ); +} + +char * +esd_unix_socket_dir(void) { + static char *sockdir = NULL, sockdirbuf[PATH_MAX]; + struct passwd *pw; + + if (sockdir != NULL) + return (sockdir); + pw = getpwuid(getuid()); + if (pw == NULL || pw->pw_dir == NULL) { + fprintf(stderr, "esd: could not find home directory\n"); + exit(1); + } + snprintf(sockdirbuf, sizeof(sockdirbuf), "%s/.esd", pw->pw_dir); + endpwent(); + sockdir = sockdirbuf; + return (sockdir); +} + +char * +esd_unix_socket_name(void) { + static char *sockname = NULL, socknamebuf[PATH_MAX]; + + if (sockname != NULL) + return (sockname); + snprintf(socknamebuf, sizeof(socknamebuf), "%s/socket", + esd_unix_socket_dir()); + sockname = socknamebuf; + return (sockname); }