52849 – [update/new port] Fix a security issue in cdrtools by updating to version 2.00.3 and add a new port for the development version

Bug 52849 - [update/new port] Fix a security issue in cdrtools by updating to version 2.00.3 and add a new port for the development version

Summary: [update/new port] Fix a security issue in cdrtools by updating to version 2.0...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	dirk

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-06-02 00:20 UTC by marius
Modified:	2003-08-19 17:34 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description marius 2003-06-02 00:20:19 UTC

	Version 2.0_1 of sysutils/cdrtools has a bug in scsitransp.c which might also
	lead to a root exploit similar to the bug in scsiopen.c. From the release notes at
	ftp://ftp.berlios.de/pub/cdrecord/AN-2.00.3

	- Security update for scsiopen.c
	 Fixed a problem with possible suid root exploit in the SCSI error string.
	 Thanks to Stefano Di Paola <stefano.dipaola1@tin.it> for reporting.
	- Security update for scsitransp.c (similar to scsiopen.c)

	As with the last bug fixed in version 2.0_1, this also is only an issue if the
	binaries are set suid root which is not done by the port but might be done locally
	to give other users the possibility to burn cds.

	Besides adding another patch to fix the bug it can be also fixed by updating the
	port to one of two possible newer versions, version 2.00.3 and version 2.01a15.
	Version 2.00.3 is a maintenance release fixing security and portability issues.
	Version 2.01a15 is the latest alpha release.
	As cdrtools resp. mkisofs is used for release engineering it would be better
	to update to 2.00.3 in my opinion rather than updating to the latest bleeding
	edge development version as done in the past with this port.

	However, one might also want a port of the latest alpha release because of
	support for a previously unsupported drive, testing new features etc..
	Therefor I did two sets of patches, the first updates sysutils/cdrtools to
	version 2.00.3 and sysutils/mkisofs to version 2.0.3. The second set creates two
	new ports, sysutils/cdrtools-devel (version 2.01a15) and sysutils/mkisofs-devel
	(2.01a12), both assuming repo-copies of the respective ports.

	The patch for sysutils/cdrtools is at:
	ftp://ftp.zeist.de/pub/patches/sysutils::cdrtools.diff
	As version 2.00.3 includes the fix for scsiopen.c, patch-libscg::scsiopen.c has
	to be removed form the FILESDIR.
	The update for sysutils is at:
	ftp://ftp.zeist.de/pub/patches/sysutils::mkisofs.diff
	It also re-aranges the MASTERDIR variable to calm down portlint and adds
	CONFLICTS variables for the devel-ports as does the above patch for cdrtools.
	
	The patches to create the ports of the development version are at:
	ftp://ftp.zeist.de/pub/patches/sysutils::cdrtools-devel.diff
	ftp://ftp.zeist.de/pub/patches/sysutils::mkisofs-devel.diff
	As with sysutils::cdrtools.diff, patch-libscg::scsiopen.c has to be deleted
	form the FILESDIR while there is a whole bunch of new files do add:
	pkg-message
	pkg-message.conf_prefix
	files/patch-RULES::rules.cnf
	files/patch-cdda2wav::setuid.c
	files/patch-cdrecord::cdrecord.1
	files/patch-cdrecord::cdrecord.c
	files/patch-cdrecord::cdrecord.dfl
	files/patch-cdrecord::defaults.c
	files/patch-include::deflts.h
	files/patch-mkisofs::mkisofs.c
	files/patch-readcd::readcd.1
	files/patch-readcd::readcd.c
	files/patch-rscsi::rscsi.c
	files/patch-rscsi::rscsi.dfl
	files/patch-scgcheck::scgcheck.1
	
	The additional patches are for several enhancements of the port in comparison
	to sysutils/cdrtools resp. sysutils/mkisofs. For cdrtools-devel these are:
	- Swap over to the bz2 tarball.
	- Fix COMMENT, this port doesn't install mkisofs.
	- Respect CC already at the configure-stage.
	- Install scgcheck, a tool to check and validate the ABI of libscg.
	- Patch cdrecord to install and use the configuration file at overrideable
	  location, defaulting to ${PREFIX}/etc, rather than using /etc/default.
	  This also patches the installed documentaion and adds a PKGMESSAGE reflecting
	  the change as required by the license of cdrtools. See also PR ports/50835.
	  (This is partly based on the NetBSD port/pkgsrc of cdrtools).
	- Install a sample configuration file for cdrecord.
	- Patch manpages to better correspond to files and locations on FreeBSD.
	- Install rcsi, a tool to allow using SCSI-devices over the network. Install a
	  sample configuration file for it, give short instructions in PKGMESSAGE how to
	  set it up. This has been successfully tested by buring a CD on a sparc64
	  machine via a CD-burner in an i386 machine.
	- Delete the targets for mkisofs and friends to speed up the build of this port.
	- Add patches to prefer seteuid(2) over setreuid(2). (Mostly based on the
	  NetBSD port/pkgsrc of cdrtools).

	For mkisofs-devel:
	- Respect CC already at the configure-stage.
	- Add MLINKS for devdump.8, isodump.8, isovfy.8 to isoinfo.8.
	- Remove apple_driver.8, this tool doesn't get installed.
	- Replace mkhybrid.8 (just includes mkisofs.8, broken without patching) with a
	  MLINKS to mkisofs.8.
	- Delete the targets for cdrecord and friends to speed up the build of this
	  port.
	- Add patches to prefer seteuid(2) over setreuid(2). (Mostly based on the
	  NetBSD port/pkgsrc of cdrtools).

	Maybe parts of these changes should be brought back to sysutils/cdrtools if they
	have proven good.

Comment 1 Christian Weisgerber freebsd_committer

2003-06-07 14:32:17 UTC

Responsible Changed
From-To: freebsd-ports-bugs->dirk

Over to cdrtools maintainer.

Comment 2 Alexander Leidinger freebsd_committer

2003-08-19 17:33:40 UTC

State Changed
From-To: open->closed

SecFix, cdrtools-devel and mkisofs-devel committed.