CVE-2020-13696

NameCVE-2020-13696
DescriptionAn issue was discovered in LinuxTV xawtv before 3.107. The function dev_open() in v4l-conf.c does not perform sufficient checks to prevent an unprivileged caller of the program from opening unintended filesystem paths. This allows a local attacker with access to the v4l-conf setuid-root program to test for the existence of arbitrary files and to trigger an open on arbitrary files with mode O_RDWR. To achieve this, relative path components need to be added to the device path, as demonstrated by a v4l-conf -c /dev/../root/.bash_history command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2246-1
Debian Bugs962221

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xawtv (PTS)bullseye3.107-1fixed
bookworm3.107-1.1fixed
sid, trixie3.107-2.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xawtvsourcejessie3.103-3+deb8u1DLA-2246-1
xawtvsource(unstable)3.107-1962221

Notes

[stretch] - xawtv <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2020/06/04/6
Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3
Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292
But those sill allow to test for arbitrary files and would need:
https://www.openwall.com/lists/oss-security/2020/06/04/6/1

Search for package or bug name: Reporting problems