Bug 26736

Summary: xawtv new security issue CVE-2020-13696
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: xawtv-3.107-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-06-06 18:40:31 CEST 
A security issue in xawtv has been announced on June 4:
https://www.openwall.com/lists/oss-security/2020/06/04/6

The fix comprises two upstream commits and a patch attached to the message above.

Mageia 7 is also affected.
David Walser 2020-06-06 18:41:04 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patches available

Comment 1 Lewis Smith 2020-06-07 21:05:00 CEST 
This SRPM has no registered maintainer, but DavidG has done past new versions, so assigning it to you.

Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2020-06-08 10:33:52 CEST 
Done for both Cauldron and mga7!

Note that I upgraded xawtv to the latest upstream release which contains only 3 more commits compared to the 3.106.
Comment 3 David Walser 2020-06-08 14:14:38 CEST 
David, I think you missed the patch attached to the oss-security message.
Comment 4 David GEIGER 2020-06-08 14:50:53 CEST 
Nop!

The commit 31f31f9cbaee7be806cba38e0ff5431bd44b20a3 is already included in the 3.107 release.

And commit 36dc44e68e5886339b4a0fbe3f404fb1a4fd2292 + attached patch are both in the single CVE-2020-13696.patch.
Comment 5 David Walser 2020-06-08 15:14:23 CEST 
Advisory:
========================

Updated xawtv packages fix security vulnerability:

The v4l-conf program in xawtv allows users to determine the existence of file
names in directories they do not have access to, and allows a user to have the
system open files they do not have access to, though it does not provide the
user access to the file contents (CVE-2020-13696).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13696
https://www.openwall.com/lists/oss-security/2020/06/04/6
========================

Updated packages in core/updates_testing:
========================
xawtv-3.107-1.1.mga7
xawtv-common-3.107-1.1.mga7
xawtv-control-3.107-1.1.mga7
fbtv-3.107-1.1.mga7
xawtv-misc-3.107-1.1.mga7
radio-3.107-1.1.mga7
streamer-3.107-1.1.mga7
motv-3.107-1.1.mga7
ttv-3.107-1.1.mga7
xawtv-web-3.107-1.1.mga7

from xawtv-3.107-1.1.mga7.src.rpm

CC: (none) => geiger.david68210
Status comment: Patches available => (none)
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 6 Len Lawrence 2020-06-08 17:41:59 CEST 
Installed these packages from release on x86_64.
There does not seem to be a way to test them without compatible hardware.  vlc copes extremely well with DVB-T/T2 and free-to-air using the Hauppage WinTV tuner but xawtv/motv cannot see it.  There are mutterings on the LinuxTV website that xawtv does not work with that tuner.  

$ motv -c /dev/dvb/adapter0/demux0
This is motv-3.106, running on Linux/x86_64 (5.6.8-desktop-1.mga7)
xinerama 0: 3840x2160+0+0
Failed to query video capabilities: Inappropriate ioctl for device
libv4l2: error getting capabilities: Inappropriate ioctl for device
vid-open: failed: libv4l
no video grabber device available

Passing this on to whoever has appropriate hardware.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2020-06-08 17:55:53 CEST 
And for what it is worth, in case there are no takers, all packages updated cleanly.
Comment 8 David Walser 2020-06-08 17:58:34 CEST 
You could test the PoC (see the oss-security post).
Comment 9 Len Lawrence 2020-06-08 18:13:50 CEST 
Thanks David - did not read the post closely enough to see that it does not involve the gui.  Going back to release version now.
Comment 10 Len Lawrence 2020-06-08 18:35:09 CEST 
https://www.openwall.com/lists/oss-security/2020/06/04/6 

# mv .bashrc bashrc

$ v4l-conf -c /dev/../root/.bashrc
v4l-conf: using X11 display :1
dga: version 2.0
WARNING: No DGA direct video mode for this display.
mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown
can't open /dev/../root/.bashrc: No such file or directory

$ v4l-conf -c /dev/../root/.bash_history
v4l-conf: using X11 display :1
dga: version 2.0
WARNING: No DGA direct video mode for this display.
mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown
/dev/../root/.bash_history: wrong device

Updated packages.
After update.

$ v4l-conf -c /dev/../root/.bashrc
v4l-conf: using X11 display :1
dga: version 2.0
WARNING: No DGA direct video mode for this display.
mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown
/dev/../root/.bashrc: invalid path or file is not of the right type
$ v4l-conf -c /dev/../root/.bash_history
v4l-conf: using X11 display :1
dga: version 2.0
WARNING: No DGA direct video mode for this display.
mode: 3840x2160, depth=24, bpp=32, bpl=15360, base=unknown
/dev/../root/.bash_history: invalid path or file is not of the right type

That looks conclusive - fix works.
Leaving this a little longer.  If nobody bites shall pass it tomorrow.
Len Lawrence 2020-06-09 18:46:03 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 11 David Walser 2020-06-09 19:48:56 CEST 
openSUSE has issued an advisory for this on June 8:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00036.html
Comment 12 Thomas Andrews 2020-06-10 15:19:05 CEST 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-06-11 01:13:43 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 13 Mageia Robot 2020-06-11 02:00:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0257.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED