Bug 542688 - bltk will run any command as root
Summary: bltk will run any command as root
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bltk
Version: 12
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Jiri Skala
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-30 15:05 UTC by Matthew Garrett
Modified: 2014-11-09 22:32 UTC (History)
5 users (show)

Fixed In Version: bltk-1.0.8-3.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-18 22:32:50 UTC


Attachments (Terms of Use)
sudoectomy (24.76 KB, patch)
2009-11-30 15:48 UTC, Matthew Garrett
no flags Details | Diff

Description Matthew Garrett 2009-11-30 15:05:59 UTC
/usr/lib/bltk/bin/bltk_sudo is suid root and will run any application as root without performing any sort of authentication. This functionality is used minimally in the code - I'll produce a patch shortly.

/usr/lib/bltk/bin/bltk_sudo /bin/bash
#

Comment 1 Matthew Garrett 2009-11-30 15:48:18 UTC
Created attachment 374787 [details]
sudoectomy

This (against git head) removes all the sudo functionality. Untested, will limit some of the output, ought to work.

Comment 2 Jiri Skala 2009-12-11 08:35:59 UTC
I modified the patch - usage of hdparm is replaced with devkit-disks to be kept functionality.

Comment 3 Vincent Danen 2009-12-11 16:42:00 UTC
I see an update submitted for Fedora testing.  Should this bug be opened up?  Have we reported this upstream?  What about a CVE name?  I also assume this affects Fedora 11?  Thanks for any info before approving it.

Comment 4 Matthew Garrett 2009-12-11 16:46:47 UTC
Bug has been submitted upstream. No CVE has been assigned. It also affects F11.

Comment 5 Vincent Danen 2009-12-11 17:07:27 UTC
I'm assuming upstream has not requested an embargo of any sort, if we're pushing updates now?  Or has this been fixed upstream already in a public repository?  Hard to tell looking at the website as it lists 1.0.8 as the latest version for download, but we have 1.0.9 in Fedora 12 so it looks out-dated.

Comment 6 Jiri Skala 2009-12-14 07:51:26 UTC
F11 version is currently unstable. There is some issue that freezes system. This has appeared without bltk changes. I have to investigate it. This is main reason why the patch is not backported to F11 (already preapred).

Jiri

Comment 7 Vincent Danen 2009-12-14 15:33:54 UTC
Sure, but the question was whether or not this was public upstream already.  I'm unable to tell that from their website.  If it is public, we should bring it up on oss-security and request a CVE name so other vendors can correct this as well.

Thanks.

Comment 8 Jiri Skala 2009-12-21 09:06:50 UTC
(In reply to comment #7)
> Sure, but the question was whether or not this was public upstream already. 
> I'm unable to tell that from their website.  If it is public, we should bring
> it up on oss-security and request a CVE name so other vendors can correct this
> as well.
> 
> Thanks.  

I've sent my changes in Matthew's patch to upstream + info about your comment + link to this bug.

Jiri

Comment 9 Vincent Danen 2009-12-24 22:30:37 UTC
Does upstream have a bugzilla or anything where this would have been reported and/or made public already (to ensure they have had time to have it corrected prior to pushing our Fedora update)?  Has upstream responded to your mail, etc?

Thanks.

Comment 10 Jiri Skala 2010-01-02 20:36:25 UTC
The upstream doesn't have any bugzilla afaik. The package has crossed border of original intention. This documents their reaction:

"Originally BLTK was only meant to be used in a test environment and not on production machine so the security was a bit laxed."

They have sources in git. I have access to latest sources. Upstream is active they respond quickly. They are working on actualisation of sources and integration this bug fix.

Comment 11 Vincent Danen 2010-01-04 22:35:13 UTC
Is the fix public?  If so, then the fedora update can go out.  If not, we need to keep sitting on it until it is.  Please advise.  Thanks.

Comment 12 Tomas Hoger 2010-01-19 10:16:00 UTC
Can the update be pushed or not?

Comment 13 Vincent Danen 2010-01-22 18:03:57 UTC
Jiri: can this update be pushed yet?  It's been sitting in the queue.  While I would like to respect upstream, without any public information it's hard to know whether they have made this information available or not, whether it's fixed or not, etc.  Can you ask whether or not they have any objection to us letting the Fedora update go through?  It's been sitting in the queue for 42 days now.

Thanks.

Comment 14 Tomas Hoger 2010-01-27 15:40:17 UTC
Opening bug.  Jiri notified upstream, further embargo was not requested.

Comment 15 Fedora Update System 2010-01-29 03:33:38 UTC
bltk-1.0.9-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Matthew Garrett 2010-02-01 22:29:24 UTC
As noted in comment 4, this also affects F11.

Comment 17 Fedora Update System 2010-02-16 19:52:34 UTC
bltk-1.0.8-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/bltk-1.0.8-3.fc11

Comment 18 Fedora Update System 2010-02-18 22:32:45 UTC
bltk-1.0.8-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.