Date: Mon, 2 Jun 2003 01:15:50 +0200 (CEST) From: marius <marius@alchemy.franken.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: oliver@FreeBSD.org Subject: ports/52849: [update/new port] Fix a security issue in cdrtools by updating to version 2.00.3 and add a new port for the development version Message-ID: <200306012315.h51NFo8x052836@alchemy.franken.de> Resent-Message-ID: <200306012320.h51NKJ09079317@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 52849 >Category: ports >Synopsis: [update/new port] Fix a security issue in cdrtools by updating to version 2.00.3 and add a new port for the development version >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Jun 01 16:20:19 PDT 2003 >Closed-Date: >Last-Modified: >Originator: marius >Release: FreeBSD 5.1-BETA sparc64 >Organization: >Environment: System: FreeBSD alchemy.franken.de 5.1-BETA FreeBSD 5.1-BETA #0: Thu May 29 14:55:16 CEST 2003 marius@alchemy.franken.de:/tmp/sys/sparc64/compile/alchemy sparc64 >Description: Version 2.0_1 of sysutils/cdrtools has a bug in scsitransp.c which might also lead to a root exploit similar to the bug in scsiopen.c. From the release notes at ftp://ftp.berlios.de/pub/cdrecord/AN-2.00.3 - Security update for scsiopen.c Fixed a problem with possible suid root exploit in the SCSI error string. Thanks to Stefano Di Paola <stefano.dipaola1@tin.it> for reporting. - Security update for scsitransp.c (similar to scsiopen.c) As with the last bug fixed in version 2.0_1, this also is only an issue if the binaries are set suid root which is not done by the port but might be done locally to give other users the possibility to burn cds. Besides adding another patch to fix the bug it can be also fixed by updating the port to one of two possible newer versions, version 2.00.3 and version 2.01a15. Version 2.00.3 is a maintenance release fixing security and portability issues. Version 2.01a15 is the latest alpha release. As cdrtools resp. mkisofs is used for release engineering it would be better to update to 2.00.3 in my opinion rather than updating to the latest bleeding edge development version as done in the past with this port. However, one might also want a port of the latest alpha release because of support for a previously unsupported drive, testing new features etc.. Therefor I did two sets of patches, the first updates sysutils/cdrtools to version 2.00.3 and sysutils/mkisofs to version 2.0.3. The second set creates two new ports, sysutils/cdrtools-devel (version 2.01a15) and sysutils/mkisofs-devel (2.01a12), both assuming repo-copies of the respective ports. The patch for sysutils/cdrtools is at: ftp://ftp.zeist.de/pub/patches/sysutils::cdrtools.diff As version 2.00.3 includes the fix for scsiopen.c, patch-libscg::scsiopen.c has to be removed form the FILESDIR. The update for sysutils is at: ftp://ftp.zeist.de/pub/patches/sysutils::mkisofs.diff It also re-aranges the MASTERDIR variable to calm down portlint and adds CONFLICTS variables for the devel-ports as does the above patch for cdrtools. The patches to create the ports of the development version are at: ftp://ftp.zeist.de/pub/patches/sysutils::cdrtools-devel.diff ftp://ftp.zeist.de/pub/patches/sysutils::mkisofs-devel.diff As with sysutils::cdrtools.diff, patch-libscg::scsiopen.c has to be deleted form the FILESDIR while there is a whole bunch of new files do add: pkg-message pkg-message.conf_prefix files/patch-RULES::rules.cnf files/patch-cdda2wav::setuid.c files/patch-cdrecord::cdrecord.1 files/patch-cdrecord::cdrecord.c files/patch-cdrecord::cdrecord.dfl files/patch-cdrecord::defaults.c files/patch-include::deflts.h files/patch-mkisofs::mkisofs.c files/patch-readcd::readcd.1 files/patch-readcd::readcd.c files/patch-rscsi::rscsi.c files/patch-rscsi::rscsi.dfl files/patch-scgcheck::scgcheck.1 The additional patches are for several enhancements of the port in comparison to sysutils/cdrtools resp. sysutils/mkisofs. For cdrtools-devel these are: - Swap over to the bz2 tarball. - Fix COMMENT, this port doesn't install mkisofs. - Respect CC already at the configure-stage. - Install scgcheck, a tool to check and validate the ABI of libscg. - Patch cdrecord to install and use the configuration file at overrideable location, defaulting to ${PREFIX}/etc, rather than using /etc/default. This also patches the installed documentaion and adds a PKGMESSAGE reflecting the change as required by the license of cdrtools. See also PR ports/50835. (This is partly based on the NetBSD port/pkgsrc of cdrtools). - Install a sample configuration file for cdrecord. - Patch manpages to better correspond to files and locations on FreeBSD. - Install rcsi, a tool to allow using SCSI-devices over the network. Install a sample configuration file for it, give short instructions in PKGMESSAGE how to set it up. This has been successfully tested by buring a CD on a sparc64 machine via a CD-burner in an i386 machine. - Delete the targets for mkisofs and friends to speed up the build of this port. - Add patches to prefer seteuid(2) over setreuid(2). (Mostly based on the NetBSD port/pkgsrc of cdrtools). For mkisofs-devel: - Respect CC already at the configure-stage. - Add MLINKS for devdump.8, isodump.8, isovfy.8 to isoinfo.8. - Remove apple_driver.8, this tool doesn't get installed. - Replace mkhybrid.8 (just includes mkisofs.8, broken without patching) with a MLINKS to mkisofs.8. - Delete the targets for cdrecord and friends to speed up the build of this port. - Add patches to prefer seteuid(2) over setreuid(2). (Mostly based on the NetBSD port/pkgsrc of cdrtools). Maybe parts of these changes should be brought back to sysutils/cdrtools if they have proven good. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306012315.h51NFo8x052836>