COMMAND

    zgv

SYSTEMS AFFECTED

    Linux

PROBLEM

    Chris Evans  found following.  zgv is  an image  viewer which runs
    under SVGAlib at the linux  console (probably BSD too). It  has to
    be  installed  suid-root  to  access  graphics hardware. zgv has a
    long  history  of  security  problems.   This  includes relatively
    boring and  trivial buffer  overflows to  the more  recent leak of
    privileged file descriptors to child processes.  This latter  hole
    was interesting. It demonstrated that while an SVGAlib application
    drops root privileges after  initializing, it is still  vulnerable
    to buffer overflows because the program holds a vital resource;  a
    writeable file descriptor to /dev/mem. This applies to all SVGAlib
    programs  (like  Quake2;   this  is  particularly  bad, as quake 2
    supports user written  .so files.   Quake 2 drops  root privileges
    before loading  them, but  now it  would appear  that they can get
    root back;  Quake2 does  not support user written shared  objects.
    It  only  reads  out  of  the  dir  in  /etc/quake2.conf.   As for
    multiplayer  games,  quake2  modifications  are server-side, ergo,
    the server admin should be worried about security)

    The new hole Chris has found _also_ involves leak of privileges to
    child processes.  This is an  issue because a user may supply  via
    the "-a" option that zgv is to launch a different program to  view
    the picture  (using zgv  just as  a graphical  file manager).  The
    precise privilege leaked to child processes is iopl(3).  This is a
    processor privilege  on intel.   iopl(3) gives  access to  all i/o
    ports (ouch) and also usage  of the cli(), sti() commands.   Going
    from iopl(3) privs -> root is non-trivial but very possible.

SOLUTION

    NO  SVGAlib  programs  are  installed  on  "secure"  systems.  Too
    many programmers of  SVGAlib stuff assume  that SVGAlib will  drop
    all privs.  It may drop root, but still retains resources which if
    taken over can lead easily  to root (/dev/mem fd, iopl(3)).   Best
    to just "rpm  -e zgv".   Chris closed this  hole in some  RPMs for
    RedHat5.2 by disabling the  "-a" option.[couldn't close this  hole
    by doing  iopl(0) in  the child  because, in  Linux-2.0.x you need
    root privs to lower your iopl!  Fixed in 2.2.x.].  If you like/use
    zgv feel free to use these.  They are at:

        ftp://ftp.lmh.ox.ac.uk/users/chris/security

    Patches for RedHat:

      Red Hat Linux 5.2:
      ------------------
        i386:   rpm -Uvh ftp://updates.redhat.com/5.2/i386/zgv-3.0-7.i386.rpm
        source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/zgv-3.0-7.src.rpm
      Red Hat Linux 5.1:
      ------------------
        i386:   rpm -Uvh ftp://updates.redhat.com/5.1/i386/zgv-3.0-5.1.i386.rpm
        source: rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/zgv-3.0-5.1.src.rpm

      Red Hat Linux 5.0:
      ------------------
        i386:   rpm -Uvh ftp://updates.redhat.com/5.0/i386/zgv-3.0-1.5.0.i386.rpm
        source: rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/zgv-3.0-1.5.0.src.rpm

      Red Hat Linux 4.2:
      ------------------
        i386:   rpm -Uvh ftp://updates.redhat.com/4.2/i386/zgv-3.0-1.4.2.i386.rpm
        source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/zgv-3.0-1.4.2.src.rpm