#82 CVE-2010-3351: insecure library loading

closed-fixed
9
2010-10-01
2010-09-28
quadrispro
No

The original report is available at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598285
-----------------------------------------------
Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/startBristol line 350:
export LD_LIBRARY_PATH=/usr/local/lib:usr/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

Note that there's also a missing slash on the second entry (_usr_/lib.)

This vulnerability has been assigned the CVE id CVE-2010-3351. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3351
[1] http://security-tracker.debian.org/tracker/CVE-2010-3351

Discussion

  • quadrispro

    quadrispro - 2010-09-28
    • priority: 5 --> 9
     
  • Nick Copeland

    Nick Copeland - 2010-09-28

    This is pretty easy to resolve, I will work on getting you a fixed script before the end of the week.

     
  • Nick Copeland

    Nick Copeland - 2010-09-28
    • assigned_to: nobody --> ncopeland
     
  • Nick Copeland

    Nick Copeland - 2010-09-28

    0.60 fixe for LD_LIBRARY_PATH security concerns

     
    Attachments
  • Nick Copeland

    Nick Copeland - 2010-09-28

    The attached file should resolve the potential security issues of the LD_LIBRARY_PATH as used in the script.

     
  • Nick Copeland

    Nick Copeland - 2010-09-28
    • status: open --> pending
     
  • quadrispro

    quadrispro - 2010-09-29

    Applied, thanks!

     
  • quadrispro

    quadrispro - 2010-09-29
    • status: pending --> open
     
  • quadrispro

    quadrispro - 2010-09-29
    • status: open --> open-works-for-me
     
  • Nick Copeland

    Nick Copeland - 2010-09-29
    • status: open-works-for-me --> pending-fixed
     
  • Nick Copeland

    Nick Copeland - 2010-10-01
    • status: pending-fixed --> closed-fixed
     
  • Nick Copeland

    Nick Copeland - 2010-10-01

    Fix will be in next upload, current release can be patched with the attached file.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks