ports/52849: [update/new port] Fix a security issue in cdrtools by updating to version 2.00.3 and add a new port for the development version
marius
marius at alchemy.franken.de
Sun Jun 1 23:20:21 UTC 2003
>Number: 52849
>Category: ports
>Synopsis: [update/new port] Fix a security issue in cdrtools by updating to version 2.00.3 and add a new port for the development version
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 01 16:20:19 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: marius
>Release: FreeBSD 5.1-BETA sparc64
>Organization:
>Environment:
System: FreeBSD alchemy.franken.de 5.1-BETA FreeBSD 5.1-BETA #0: Thu May 29 14:55:16 CEST 2003 marius at alchemy.franken.de:/tmp/sys/sparc64/compile/alchemy sparc64
>Description:
Version 2.0_1 of sysutils/cdrtools has a bug in scsitransp.c which might also
lead to a root exploit similar to the bug in scsiopen.c. From the release notes at
ftp://ftp.berlios.de/pub/cdrecord/AN-2.00.3
- Security update for scsiopen.c
Fixed a problem with possible suid root exploit in the SCSI error string.
Thanks to Stefano Di Paola <stefano.dipaola1 at tin.it> for reporting.
- Security update for scsitransp.c (similar to scsiopen.c)
As with the last bug fixed in version 2.0_1, this also is only an issue if the
binaries are set suid root which is not done by the port but might be done locally
to give other users the possibility to burn cds.
Besides adding another patch to fix the bug it can be also fixed by updating the
port to one of two possible newer versions, version 2.00.3 and version 2.01a15.
Version 2.00.3 is a maintenance release fixing security and portability issues.
Version 2.01a15 is the latest alpha release.
As cdrtools resp. mkisofs is used for release engineering it would be better
to update to 2.00.3 in my opinion rather than updating to the latest bleeding
edge development version as done in the past with this port.
However, one might also want a port of the latest alpha release because of
support for a previously unsupported drive, testing new features etc..
Therefor I did two sets of patches, the first updates sysutils/cdrtools to
version 2.00.3 and sysutils/mkisofs to version 2.0.3. The second set creates two
new ports, sysutils/cdrtools-devel (version 2.01a15) and sysutils/mkisofs-devel
(2.01a12), both assuming repo-copies of the respective ports.
The patch for sysutils/cdrtools is at:
ftp://ftp.zeist.de/pub/patches/sysutils::cdrtools.diff
As version 2.00.3 includes the fix for scsiopen.c, patch-libscg::scsiopen.c has
to be removed form the FILESDIR.
The update for sysutils is at:
ftp://ftp.zeist.de/pub/patches/sysutils::mkisofs.diff
It also re-aranges the MASTERDIR variable to calm down portlint and adds
CONFLICTS variables for the devel-ports as does the above patch for cdrtools.
The patches to create the ports of the development version are at:
ftp://ftp.zeist.de/pub/patches/sysutils::cdrtools-devel.diff
ftp://ftp.zeist.de/pub/patches/sysutils::mkisofs-devel.diff
As with sysutils::cdrtools.diff, patch-libscg::scsiopen.c has to be deleted
form the FILESDIR while there is a whole bunch of new files do add:
pkg-message
pkg-message.conf_prefix
files/patch-RULES::rules.cnf
files/patch-cdda2wav::setuid.c
files/patch-cdrecord::cdrecord.1
files/patch-cdrecord::cdrecord.c
files/patch-cdrecord::cdrecord.dfl
files/patch-cdrecord::defaults.c
files/patch-include::deflts.h
files/patch-mkisofs::mkisofs.c
files/patch-readcd::readcd.1
files/patch-readcd::readcd.c
files/patch-rscsi::rscsi.c
files/patch-rscsi::rscsi.dfl
files/patch-scgcheck::scgcheck.1
The additional patches are for several enhancements of the port in comparison
to sysutils/cdrtools resp. sysutils/mkisofs. For cdrtools-devel these are:
- Swap over to the bz2 tarball.
- Fix COMMENT, this port doesn't install mkisofs.
- Respect CC already at the configure-stage.
- Install scgcheck, a tool to check and validate the ABI of libscg.
- Patch cdrecord to install and use the configuration file at overrideable
location, defaulting to ${PREFIX}/etc, rather than using /etc/default.
This also patches the installed documentaion and adds a PKGMESSAGE reflecting
the change as required by the license of cdrtools. See also PR ports/50835.
(This is partly based on the NetBSD port/pkgsrc of cdrtools).
- Install a sample configuration file for cdrecord.
- Patch manpages to better correspond to files and locations on FreeBSD.
- Install rcsi, a tool to allow using SCSI-devices over the network. Install a
sample configuration file for it, give short instructions in PKGMESSAGE how to
set it up. This has been successfully tested by buring a CD on a sparc64
machine via a CD-burner in an i386 machine.
- Delete the targets for mkisofs and friends to speed up the build of this port.
- Add patches to prefer seteuid(2) over setreuid(2). (Mostly based on the
NetBSD port/pkgsrc of cdrtools).
For mkisofs-devel:
- Respect CC already at the configure-stage.
- Add MLINKS for devdump.8, isodump.8, isovfy.8 to isoinfo.8.
- Remove apple_driver.8, this tool doesn't get installed.
- Replace mkhybrid.8 (just includes mkisofs.8, broken without patching) with a
MLINKS to mkisofs.8.
- Delete the targets for cdrecord and friends to speed up the build of this
port.
- Add patches to prefer seteuid(2) over setreuid(2). (Mostly based on the
NetBSD port/pkgsrc of cdrtools).
Maybe parts of these changes should be brought back to sysutils/cdrtools if they
have proven good.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list