#24334 – CVE-2010-3378: insecure library loading

Bug 24334 - CVE-2010-3378: insecure library loading

Summary: CVE-2010-3378: insecure library loading

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	scilab (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 blocker
Assignee:	Nobody's working on this, feel free to take it
QA Contact:	qa-sisyphus

URL:	http://bugs.debian.org/598422
Keywords:	security

Depends on:
Blocks:

Reported:	2010-10-16 12:53 MSD by Vladimir Lettiev
Modified:	2021-09-29 13:39 MSK (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Lettiev 2010-10-16 12:53:56 MSD

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/scilab-adv-cli line 280:
                    LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH"
/usr/bin/scilab-adv-cli line 459:
		    LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab-adv-cli line 518:
        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/"
/usr/bin/scilab-adv-cli line 534:
LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH
/usr/bin/scilab line 283:
                    LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH"
/usr/bin/scilab line 462:
		    LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab line 521:
        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/"
/usr/bin/scilab line 537:
LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

Comment 1 Vladimir Lettiev 2010-10-16 13:30:41 MSD

По сравнению с debian у нас в scilab из shell-скриптов есть только /usr/bin/scilab
Там есть несколько точек с небезопасным изменением LD_LIBRARY_PATH:

/usr/bin/scilab line 398: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"

/usr/bin/scilab line 442:
LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

В последнем случае лучше заменить на:
LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

Comment 2 nbr 2010-11-16 23:33:39 MSK

Это не ко мне уже.
Заодно исправьте ошибку с арифметическим переполнением при компиляции фортрана.

Comment 3 Vitaly Kuznetsov 2010-11-17 02:12:12 MSK

$ ssh git.alt acl sisyphus scilab show     
scilab	nbr @everybody

перевесьте пакет на nobody@

Comment 4 Anton Farygin 2021-09-29 13:39:47 MSK

В scilab-6.1.1-alt1 есть обработка пустых значений переменных в LD_LIBRARY_PATH