From: SourceForge.net <no...@so...> - 2012-07-25 18:06:05
|
Bugs item #3541554, was opened at 2012-07-09 02:17 Message generated for change (Settings changed) made by mchasal You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=3541554&group_id=128809 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: sfcb Group: Security Status: Open Resolution: None Priority: 5 Private: No Submitted By: Klaus Kämpf (kkaempf) >Assigned to: Dave Heller (hellerda) Summary: insecure LD_LIBRARY_PATH usage Initial Comment: CVE-2012-3381 /etc/init.d/sfcb uses: LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH which is insecure if LD_LIBRARY_PATH is empty. It makes binaries use libraries from the current directory, which is a problem if e.g. a administrator starts the sfcb service from a untrusted directory. Also it uses it to set /usr/lib, a default path. Just get rid of the whole if ... as it is useless. References: https://access.redhat.com/security/cve/CVE-2012-3381 https://bugzilla.novell.com/show_bug.cgi?id=770234 ---------------------------------------------------------------------- >Comment By: Michael Chase-Salerno (mchasal) Date: 2012-07-25 11:06 Message: Will fix the issue, but I believe that we do need to keep this code in. It may appear useless in your particular case, where it is /usr/lib, but that pathname is based on the prefix that sfcb is built with. So it could be /usr/local/lib or any pathname. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=3541554&group_id=128809 |