The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FWD: [linux-security] Linux squake security hole (provides root if squake is installed mode 4755)

There is a security hole in svga quake that might allow a user to get root.

I have just uploaded squake packages that disable this security hole by
removing the suid bit from squake. Or course, this will prevent non-root
users from playing the game at all.

If you have squake installed, you should either execute the following 
command as root:

chmod 755 /usr/games/squake.real

Or you should download the new squake package, as soon as it gets moved out
of Incoming. Either of these packages will close the security hole, one is
for stable, the other for unstable:

squake_1.06-5_i386.deb
squake_1.07-0.992-2_i386.deb

-- 
Joey Hess, quake maintainer for Debian

-----Forwarded message from Aleph One <aleph1@DFW.NET>-----

I'll just include the letter that I sent to John Carmack and Dave "Zoid"
Kirsch concerning this problem.
----------------------------------------------------------------------
From: Greg Alexander <galexand@sietch.bloomington.in.us>
To: zoid@threewave.com
cc: johnc@idsoftware.com
Subject: Security hole in squake.

Please respond with this mail if for nothing else than just to say "I got
it, I don't give a damn, go away." just so I know you got it...otherwise
I'll resend it every week until I get an ack. (I understand that you're both
very busy and tend to miss mail, I just feel that this is a rather important
problem).
        johnc: Sorry if this doesn't pertain directly to you, I just thought
you might like to know of this hole.

        I'm not totally certain how to exploit this, and it may not be
exploitable.  But I'd bet money that it is exploitable and I figured you'd
like to know before BUGTRAQ.  Anyways, now for the explanation.
        Zoid moved my vga_init() call, which was in the .c file with the
linux main(), into the svgalib .c file, apparently.  While this is more
"clean," (esp. considering my stupd inclusion of vga_init() { } into the
X-specific .c files).  The problem is that any program using svgalib
requires to be setuid root.  vga_init() is the function that gives up root
access.  If you call vga_init() at the beginning of main(), no problemo.  If
you call it later then everything executed before vga_init() will be run as
root.
        Quake is a very easy program to cause to segfault.  If a program can
be made to segfault while it is being run as root, it is almost always
capable to obtain root.  There are probably several segfault opportunities,
but the most obvious is in the commandline parsing: "squake -game
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
will segfault you any time.
        The fix is simple -- move the vga_init() call back to the beginning
of main.  You may want to put the svgalib main stuff into it's own file so
you don't have to do the ugliness of adding a vga_init() { } into the X and
other platform files.  It can be temporarily pseudo-fixed by merely doing
chown root.console squake; chmod 4750 squake    and make sure that only
trusted individuals are in group console.
        FYI, sdoom had a very similar bug that was posted on BUGTRAQ.  It
ran its soundserver before relinquishing root, a very bad thing.
        If you would like to be the first to release this bug to the press
(BUGTRAQ, linux-alert, linux-security, CERT advisory, etc.) in the form of a
new version of squake, just let me know.  Otherwise I was planning on
sending out the word myself.

        Also, just a little nit-pick.  Now it looks like, on error opening
/dev/cdrom, it has something like:

printf("CDAudio_Init: open of \"/dev/cdrom\" failed(%d)\n",errno);

that error number in ()'s there is pretty useless.  people will probably
start seeing "permission denied" errors there if you make the rootness stuff
work reasonably, but they won't have any idea what the error number means.
Maybe change it to something more like:

printf("CDAudio_Init: open of \"/dev/cdrom\" failed(%s)\n",sys_errlist[errno]);

Thank you for reading all of this drivel.  Have a nice day.

Greg Alexander
<Tag removed>
----------------------------------------------------------------------

John Carmack responded saying that it was up to Zoid to fix the problem.
Zoid responded by saying that he would have to think of a way to open
/dev/cdrom and /dev/mouse before giving up root.  I do not know how
seriously he intends to pursue this, though.
        For those in the cc: There is no reason to have root open /dev/cdrom
or /dev/mouse unless you cannot administer a proper linux system.

Greg Alexander
http://www.cia-g.com/~sietch/
----
"I read about monkeys in the encyclopedia as soon as I got home from the
funeral and I wonder if this one throws turds and masturbates all the time
like those monkeys saw it the zoo in San Francisco or if witness monkeys are
more like people."
        -- a character in Orson Scott Card and Kathryn H. Kidd's novel,
           Lovelock.

-----End of forwarded message-----


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .