Bug 2259536 (CVE-2006-2916)

Summary: CVE-2006-2916 arts: does not check the return value of the setuid which prevents artsd from dropping privileges
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kevin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: arts-1.5.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in artswrapper in aRts. When running a setuid root, it does not check the return value of the setuid function call. This flaw allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2259539, 2259540    
Bug Blocks: 2259538    

Description Rohit Keshri 2024-01-22 09:08:01 UTC 
artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.

http://dot.kde.org/1150310128/
http://mail.gnome.org/archives/beast/2006-December/msg00025.html
http://secunia.com/advisories/20677
http://secunia.com/advisories/20786
http://secunia.com/advisories/20827
http://secunia.com/advisories/20868
http://secunia.com/advisories/20899
http://secunia.com/advisories/25032
http://secunia.com/advisories/25059
http://security.gentoo.org/glsa/glsa-200704-22.xml
http://securitytracker.com/id?1016298
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.468256
http://www.gentoo.org/security/en/glsa/glsa-200606-22.xml
http://www.kde.org/info/security/advisory-20060614-2.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2006:107
http://www.novell.com/linux/security/advisories/2006_38_security.html
http://www.osvdb.org/26506
http://www.securityfocus.com/archive/1/437362/100/0/threaded
http://www.securityfocus.com/bid/18429
http://www.securityfocus.com/bid/23697
http://www.vupen.com/english/advisories/2006/2357
http://www.vupen.com/english/advisories/2007/0409
https://exchange.xforce.ibmcloud.com/vulnerabilities/27221
Comment 1 Rohit Keshri 2024-01-22 09:11:27 UTC 
Created arts tracking bugs for this issue:

Affects: epel-all [bug 2259539]
Affects: fedora-all [bug 2259540]
Comment 2 Kevin Kofler 2024-01-22 22:06:37 UTC 
https://nvd.nist.gov/vuln/detail/CVE-2006-2916

> Product is only vulnerable when running setuid root
[snip]
> OFFICIAL STATEMENT FROM RED HAT (08/16/2006)
> Not vulnerable. We do not ship aRts as setuid root on Red Hat Enterprise Linux 2.1, 3, or 4.

I can echo that here:
aRts in Fedora and EPEL is not installed as suid root, hence not vulnerable. No patch is needed.