Ubuntu
xsplash package

Doesn't test for setuid return code

Bug #439272 reported by Loïc Minier
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xsplash
Fix Released
Undecided
Unassigned
xsplash (Ubuntu)
Fix Released
Low
Kees Cook
Ubuntu ubuntu-9.10
Karmic
Fix Released
Low
Kees Cook
Ubuntu ubuntu-9.10

Bug Description

Binary package hint: xsplash

Hi

xsplash doesn't set for the return code of setuid but should.

Bye

ProblemType: Bug
Architecture: amd64
Date: Wed Sep 30 12:30:29 2009
DistroRelease: Ubuntu 9.10
Package: xsplash 0.8.1-0ubuntu1
ProcEnviron:
 LANGUAGE=fr_FR:fr:en_GB:en
 PATH=(custom, user)
 LANG=fr_FR.UTF-8
 SHELL=/bin/zsh
ProcVersionSignature: Ubuntu 2.6.31-11.36-generic
SourcePackage: xsplash
Uname: Linux 2.6.31-11-generic x86_64

Revision history for this message
Loïc Minier (lool) wrote :
Loïc Minier (lool)
visibility: private → public
Revision history for this message
Kees Cook (kees) wrote :

This is probably what we want it doing instead...

Changed in xsplash (Ubuntu):
status: New → Triaged
Changed in xsplash (Ubuntu Karmic):
milestone: none → ubuntu-9.10
importance: Undecided → Low
assignee: nobody → Loïc Minier (lool)
Kees Cook (kees)
Changed in xsplash (Ubuntu Karmic):
assignee: Loïc Minier (lool) → Kees Cook (kees)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xsplash - 0.8.2-0ubuntu2

---------------
xsplash (0.8.2-0ubuntu2) karmic; urgency=low

  * Add 90_correctly-setuid.patch to use setresuid() and test the return
    code (LP: #439272).
  * Re-added dropped 0.8.1-0ubuntu2 changelog, removed now-upstreamed
    patch 60_slist-use-proper-var.patch.

 -- Kees Cook <email address hidden> Sat, 03 Oct 2009 10:02:21 -0700

Changed in xsplash (Ubuntu Karmic):
status: Triaged → Fix Released
Revision history for this message
Ted Gould (ted) wrote : Re: [Bug 439272] Re: Doesn't test for setuid return code

It would be nice if you guys would turn these patches into merge
requests for projects in LP :) They're easier to merge and harder to
loose track of.

Here's a similar patch, but now I've added your additional comments:

  https://code.launchpad.net/~bratsche/xsplash/setgid/+merge/12788

You can see all active merge proposals for a project here:

  https://code.launchpad.net/xsplash/+activereviews

Thanks for the fix!

Revision history for this message
Kees Cook (kees) wrote :

On Sat, Oct 03, 2009 at 07:54:57PM -0000, Ted Gould wrote:
> It would be nice if you guys would turn these patches into merge
> requests for projects in LP :) They're easier to merge and harder to
> loose track of.
>
> Here's a similar patch, but now I've added your additional comments:
>
> https://code.launchpad.net/~bratsche/xsplash/setgid/+merge/12788
>
> You can see all active merge proposals for a project here:
>
> https://code.launchpad.net/xsplash/+activereviews
>
> Thanks for the fix!

All the branches I could lacked actual code and were just packaging
branches, which I find very difficult to deal with as it requires a
single build process that, to my knowledge, is incompatible with standard
sbuild/schroot methods. :(

--
Kees Cook
Ubuntu Security Team

Revision history for this message
Cody Russell (bratsche) wrote :

Is there something I can do to get code branches registered at https://code.launchpad.net/ubuntu/+source/xsplash?

Right now most of the branches are at https://code.launchpad.net/~bratsche

Revision history for this message
Robert Collins (lifeless) wrote :

On Mon, 2009-10-05 at 02:48 +0000, Cody Russell wrote:
> Is there something I can do to get code branches registered at
> https://code.launchpad.net/ubuntu/+source/xsplash?
>
> Right now most of the branches are at
> https://code.launchpad.net/~bratsche

bzr push lp:~bratsche/ubuntu/karmic/xsplash/BRANCHNAME

-Rob

Cody Russell (bratsche)
Changed in xsplash:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.