CVE-2020-13696

08.06.2020, 17:15

An issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.4 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Vendor	Product	Version
linuxtv	xawtv	𝑥 < 3.107
debian	debian_linux	8.0
opensuse	backports_sle	15.0:sp1
opensuse	leap	15.1
canonical	ubuntu_linux	16.04

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xawtv

bullseye	3.107-1 fixed
stretch	no-dsa
bookworm	3.107-1.1 fixed
sid	3.107-2.1 fixed
trixie	3.107-2.1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xawtv

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	needs-triage
eoan	ignored
bionic	needs-triage
xenial	Fixed 3.103-3+deb8u1build0.16.04.1 released
trusty	dne

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00013.html

http://www.openwall.com/lists/oss-security/2020/06/04/6

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-13696

https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3

https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292

https://git.linuxtv.org/xawtv3.git/commit/?id=8e3feea862db68d3ca0886f46cd99fab45d2db7c

https://lists.debian.org/debian-lts-announce/2020/06/msg00018.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ELOXU5LXQSQOXX64D4BICZV3TQWOBXHC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7XWAO7W2DGA6M52JGK2TDWUGF62Q2KY/

https://usn.ubuntu.com/4518-1/

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00013.html

http://www.openwall.com/lists/oss-security/2020/06/04/6

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-13696

https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3

https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292

https://git.linuxtv.org/xawtv3.git/commit/?id=8e3feea862db68d3ca0886f46cd99fab45d2db7c

https://lists.debian.org/debian-lts-announce/2020/06/msg00018.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ELOXU5LXQSQOXX64D4BICZV3TQWOBXHC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7XWAO7W2DGA6M52JGK2TDWUGF62Q2KY/

https://usn.ubuntu.com/4518-1/