COMMAND

    /usr/X11/bin/xmcd

SYSTEMS AFFECTED

    System running XMCD 2.0pl2 (all previous versions?) and XMCD 2.1

PROBLEM

    The  cddb_init()  function  reads  in  the  environment   variable
    XMCD_CDDBPATH,  and  parses  out  path  names from it, dynamically
    allocating  memory  for  each  pathname  as  it  is  parsed.   The
    cd_init()  functions,  which  calls  cddb_init(),  then  uses  the
    structure with  the dynamically  allocated path  string and copies
    it  into  a  fixed  length  buffer  with:   sprintf(str,  "   %s",
    pathp->path);

    The str variable is defined in cd_init() as char str[FILE_PATH_SZ + 2].

    In  other   words,  a   buffer  overflow   in  the   XMCD_CDDBPATH
    environment variable allows  a user to  overwrite the contents  of
    the stack and execute arbitrary code as root.

    On the other hand when speaking  about XMCD 2.1, on Solaris 2  the
    binary  gets  installed  SUID,  but  doesn't  seem  to  require it
    (removing SUID bit, everything  still seems to function,  although
    database may not be  updated for new CD's)  which is not case  for
    linux.

SOLUTION

    Patch: chmod -s xmcd
    Solution: rm -f xmcd; buy yourself CD set for home!