/usr/lib/bltk/bin/bltk_sudo is suid root and will run any application as root without performing any sort of authentication. This functionality is used minimally in the code - I'll produce a patch shortly.
Created attachment 374787 [details]
This (against git head) removes all the sudo functionality. Untested, will limit some of the output, ought to work.
I modified the patch - usage of hdparm is replaced with devkit-disks to be kept functionality.
I see an update submitted for Fedora testing. Should this bug be opened up? Have we reported this upstream? What about a CVE name? I also assume this affects Fedora 11? Thanks for any info before approving it.
Bug has been submitted upstream. No CVE has been assigned. It also affects F11.
I'm assuming upstream has not requested an embargo of any sort, if we're pushing updates now? Or has this been fixed upstream already in a public repository? Hard to tell looking at the website as it lists 1.0.8 as the latest version for download, but we have 1.0.9 in Fedora 12 so it looks out-dated.
F11 version is currently unstable. There is some issue that freezes system. This has appeared without bltk changes. I have to investigate it. This is main reason why the patch is not backported to F11 (already preapred).
Sure, but the question was whether or not this was public upstream already. I'm unable to tell that from their website. If it is public, we should bring it up on oss-security and request a CVE name so other vendors can correct this as well.
(In reply to comment #7)
> Sure, but the question was whether or not this was public upstream already.
> I'm unable to tell that from their website. If it is public, we should bring
> it up on oss-security and request a CVE name so other vendors can correct this
> as well.
I've sent my changes in Matthew's patch to upstream + info about your comment + link to this bug.
Does upstream have a bugzilla or anything where this would have been reported and/or made public already (to ensure they have had time to have it corrected prior to pushing our Fedora update)? Has upstream responded to your mail, etc?
The upstream doesn't have any bugzilla afaik. The package has crossed border of original intention. This documents their reaction:
"Originally BLTK was only meant to be used in a test environment and not on production machine so the security was a bit laxed."
They have sources in git. I have access to latest sources. Upstream is active they respond quickly. They are working on actualisation of sources and integration this bug fix.
Is the fix public? If so, then the fedora update can go out. If not, we need to keep sitting on it until it is. Please advise. Thanks.
Can the update be pushed or not?
Jiri: can this update be pushed yet? It's been sitting in the queue. While I would like to respect upstream, without any public information it's hard to know whether they have made this information available or not, whether it's fixed or not, etc. Can you ask whether or not they have any objection to us letting the Fedora update go through? It's been sitting in the queue for 42 days now.
Opening bug. Jiri notified upstream, further embargo was not requested.
bltk-1.0.9-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
As noted in comment 4, this also affects F11.
bltk-1.0.8-3.fc11 has been submitted as an update for Fedora 11.
bltk-1.0.8-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.