Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232096 - CVE-2004-0813 SG_IO unsafe user command execution
Summary: CVE-2004-0813 SG_IO unsafe user command execution
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: cdrtools
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
URL:
Whiteboard: public=20040730,impact=moderate,sourc...
Depends On: 133098
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-13 21:06 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0465
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-11 17:51:45 UTC


Attachments (Terms of Use)
Patch for CVE-2004-0806 (deleted)
2007-03-15 19:01 UTC, Josh Bressers
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0465 normal SHIPPED_LIVE Moderate: pam security and bug fix update 2007-06-07 23:32:45 UTC

Description Josh Bressers 2007-03-13 21:06:55 UTC
bug 133098 describes a flaw in the way the kernel handles certain SG_IO
commands.  A user who has access to a /dev/sg file, can do scary things they
shouldn't be able to.  In RHEL3 we currently give the console user read/write
access to /dev/sg devices which are also recordable CD drives.  This is
obviously a problem.

Fixing this in the kernel will be nearly impossible given how the RHEL3 kernel
works.  We can however fix it by changing the way cdrecord works.

If we use consolehelper to launch cdrecord, the end user should notice no change
in behavior, and will allow us to control who is able to execute cdrecord as the
root user.

Comment 1 Josh Bressers 2007-03-15 19:00:45 UTC
If we set cdrecord to be setuid root, we will need to add the patch for
CVE-2004-0806, which could allow a local user to gain root privileges.  We will
also need to add a fix for bug 152462 (CVE-2005-0866).  There is a patch in the bug.

Neither of these are currently vulnerabilities, but would be if we set cdrecord
to setuid root.

Comment 2 Josh Bressers 2007-03-15 19:01:55 UTC
Created attachment 150154 [details]
Patch for CVE-2004-0806

Comment 4 Tomas Mraz 2007-03-27 13:16:59 UTC
See the original bug 133098 for patch adding PAM support to cdrecord + PAM config.


Comment 5 Tomas Mraz 2007-03-27 13:21:28 UTC
Cdrecord with the patch mentioned above can be made setuid root and only people
logged in on console will have access to it.

(Note that using consolehelper doesn't help us as it sets both euid and uid to 0.)

Comment 7 Josh Bressers 2007-03-29 16:36:25 UTC
harald, can you roll new packages with all the patches mentioned and just note
te n-v-r here.  It's likely we'll include these packges with the pam errata
given they depend on each other.

Comment 8 Harald Hoyer 2007-03-30 10:17:41 UTC
scsi-remote will not work with the pam patch anyway, if I think of it. So we may
note that this functionality is gone. And we could remove the code also.

Comment 9 Josh Bressers 2007-03-30 11:34:51 UTC
I think as long as we note this loss of functionality in the errata, removing it
is the right thing.

Comment 10 Harald Hoyer 2007-04-03 12:13:45 UTC
what about:
isoinfo
isodump
isovfy
isodebug
cdrdao
devdump
readcd
skel

Patch with pam and make them suid also?

Comment 11 Josh Bressers 2007-04-03 12:32:00 UTC
I suspect we would only need to modify these tools if they need to write to the
device no?  Can they not read from the cd device, rather than the sg device?

Comment 15 Red Hat Bugzilla 2007-06-11 17:51:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0465.html



Note You need to log in before you can comment on or make changes to this bug.