2259536 – (CVE-2006-2916) CVE-2006-2916 arts: does not check the return value of the setuid which prevents artsd from dropping privileges

Bug 2259536 (CVE-2006-2916) - CVE-2006-2916 arts: does not check the return value of the setuid which prevents artsd from dropping privileges

Summary: CVE-2006-2916 arts: does not check the return value of the setuid which prev...

Keywords:
Status:	NEW
Alias:	CVE-2006-2916
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2259539 2259540
Blocks:	2259538
TreeView+	depends on / blocked

Reported:	2024-01-22 09:08 UTC by Rohit Keshri
Modified:	2024-01-25 09:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:	arts-1.5.10
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in artswrapper in aRts. When running a setuid root, it does not check the return value of the setuid function call. This flaw allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-01-22 09:08:01 UTC

artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.

http://dot.kde.org/1150310128/
http://mail.gnome.org/archives/beast/2006-December/msg00025.html
http://secunia.com/advisories/20677
http://secunia.com/advisories/20786
http://secunia.com/advisories/20827
http://secunia.com/advisories/20868
http://secunia.com/advisories/20899
http://secunia.com/advisories/25032
http://secunia.com/advisories/25059
http://security.gentoo.org/glsa/glsa-200704-22.xml
http://securitytracker.com/id?1016298
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.468256
http://www.gentoo.org/security/en/glsa/glsa-200606-22.xml
http://www.kde.org/info/security/advisory-20060614-2.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2006:107
http://www.novell.com/linux/security/advisories/2006_38_security.html
http://www.osvdb.org/26506
http://www.securityfocus.com/archive/1/437362/100/0/threaded
http://www.securityfocus.com/bid/18429
http://www.securityfocus.com/bid/23697
http://www.vupen.com/english/advisories/2006/2357
http://www.vupen.com/english/advisories/2007/0409
https://exchange.xforce.ibmcloud.com/vulnerabilities/27221

Comment 1 Rohit Keshri 2024-01-22 09:11:27 UTC

Created arts tracking bugs for this issue:

Affects: epel-all [bug 2259539]
Affects: fedora-all [bug 2259540]

Comment 2 Kevin Kofler 2024-01-22 22:06:37 UTC

https://nvd.nist.gov/vuln/detail/CVE-2006-2916

> Product is only vulnerable when running setuid root
[snip]
> OFFICIAL STATEMENT FROM RED HAT (08/16/2006)
> Not vulnerable. We do not ship aRts as setuid root on Red Hat Enterprise Linux 2.1, 3, or 4.

I can echo that here:
aRts in Fedora and EPEL is not installed as suid root, hence not vulnerable. No patch is needed.

Note You need to log in before you can comment on or make changes to this bug.