Security Information / 2000 / Security Information -- xmcd

Debian Security Advisory

xmcd -- untrustworthy privileged binaries

Date Reported:

21 Nov 2000

Affected Packages:

xmcd, cddb

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

The Debian GNU/Linux xmcd package has historically installed two setuid helpers for accessing cddb databases and SCSI cdrom drives. More recently, the package offered the administrator the chance to remove these setuid flags, but did so incorrectly.

A buffer overflow in ncurses, linked to the "cda" binary, allowed a root exploit. Fixed ncurses packages have been released, as well as fixed xmcd packages which do not install this binary with a setuid flag.

The problem is fixed in xmcd 2.5pl1-7.1, and we recommend all users with xmcd installed upgrade to this release. You may need to add users of xmcd to the "audio" and "cdrom" groups in order for them to continue using xmcd.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:

http://security.debian.org/dists/potato/updates/main/source/xmcd_2.5pl1-7.1.dsc

http://security.debian.org/dists/potato/updates/main/source/xmcd_2.5pl1-7.1.diff.gz

http://security.debian.org/dists/potato/updates/main/source/xmcd_2.5pl1.orig.tar.gz

Alpha:

http://security.debian.org/dists/potato/updates/main/binary-alpha/cddb_2.5pl1-7.1_alpha.deb

http://security.debian.org/dists/potato/updates/main/binary-alpha/xmcd_2.5pl1-7.1_alpha.deb

ARM:

http://security.debian.org/dists/potato/updates/main/binary-arm/cddb_2.5pl1-7.1_arm.deb

http://security.debian.org/dists/potato/updates/main/binary-arm/xmcd_2.5pl1-7.1_arm.deb

Intel IA32:

http://security.debian.org/dists/potato/updates/main/binary-i386/cddb_2.5pl1-7.1_i386.deb

http://security.debian.org/dists/potato/updates/main/binary-i386/xmcd_2.5pl1-7.1_i386.deb

Motorola 680x0:

http://security.debian.org/dists/potato/updates/main/binary-m68k/cddb_2.5pl1-7.1_m68k.deb

http://security.debian.org/dists/potato/updates/main/binary-m68k/xmcd_2.5pl1-7.1_m68k.deb

PowerPC:

http://security.debian.org/dists/potato/updates/main/binary-powerpc/cddb_2.5pl1-7.1_powerpc.deb

http://security.debian.org/dists/potato/updates/main/binary-powerpc/xmcd_2.5pl1-7.1_powerpc.deb

Sun SPARC:

http://security.debian.org/dists/potato/updates/main/binary-sparc/cddb_2.5pl1-7.1_sparc.deb

http://security.debian.org/dists/potato/updates/main/binary-sparc/xmcd_2.5pl1-7.1_sparc.deb