Standards Based Linux Instrumentation / Bugs / #2499 insecure LD_LIBRARY_PATH usage

#2499 insecure LD_LIBRARY_PATH usage

Milestone: Security

Status: pending-fixed

Owner: Dave Heller

Labels: sfcb (1090)

Component:

Priority: 5

Updated: 2014-08-16

Created: 2012-07-09

Creator: Klaus Kämpf

Private: No

CVE-2012-3381

/etc/init.d/sfcb uses:

LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH

which is insecure if LD_LIBRARY_PATH is empty. It makes binaries use
libraries from the current directory, which is a problem if e.g. a
administrator
starts the sfcb service from a untrusted directory.

Also it uses it to set /usr/lib, a default path.

Just get rid of the whole if ... as it is useless.

References:
https://access.redhat.com/security/cve/CVE-2012-3381
https://bugzilla.novell.com/show_bug.cgi?id=770234

Discussion

Michael Chase-Salerno - 2012-07-25

Will fix the issue, but I believe that we do need to keep this code in. It may appear useless in your particular case, where it is /usr/lib, but that pathname is based on the prefix that sfcb is built with. So it could be /usr/local/lib or any pathname.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michael Chase-Salerno - 2012-07-25

assigned_to: buccella --> hellerda
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michael Chase-Salerno - 2012-07-25

Here is an article that describes what the problem is, since it's not entirely obvious: http://stick.gk2.sk/blog/2009/10/wrong-usage-of-ld_library_path/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Heller - 2012-07-27

This patch ensures LD_LIBRARY_PATH will never end in a colon. It also fixes a bug where LD_LIBRARY_PATH would not be updated if the current LD_LIBRARY_PATH included a path containing the SFCB libdir but was not the SFCB libdir (e.g. a subdirectory of libdir).

It occurred to me there is more than one approach to the trailing colon issue:

1. ensure a colon is never added when we set a new LD_LIBRARY_PATH
2. additionally remove any trailing colon when we prepend our path to LD_LIBRARY_PATH
3. always remove the trailing colon even in the cases where we do not alter LD_LIBRARY_PATH (i.e. already includes our path)

Normally I would go with the least intrusive change (option 1) but in this case, since it is a potential security issue, and since we are only setting SFCB environment, we may want option 3. Option 2 does not seem good; if we are going to alter the existing LD_LIBRARY_PATH we should be consistent about it.

The only way I can think of where this would break something is: if a provider depends on some custom LD_LIBRARY_PATH to be set before SFCB starts and also requires that LD_LIBRARY_PATH to end in colon.

The attached patch implements option 3. If there is feedback to the contrary I can change it.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Heller - 2012-07-27

patch for SFCB 1.3

3541554-LD_LIBRARY_PATH-no-trailing-colon.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Heller - 2012-07-29

After discussing with SFCB team we have decided on option 1. Committed to CVS head and git master.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Heller - 2012-07-29

status: open --> pending-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Heller - 2012-07-29

new patch for SFCB 1.3

3541554-LD_LIBRARY_PATH-no-trailing-colon-sfcb1.3.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Heller - 2012-07-29

new patch for SFCB 1.4

3541554-LD_LIBRARY_PATH-no-trailing-colon-sfcb1.4.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.