24334 2010-10-16 12:53:56 +0400 CVE-2010-3378: insecure library loading 2021-09-29 13:39:47 +0300 1 1 4 Development Sisyphus scilab unstable all Linux CLOSED FIXED http://bugs.debian.org/598422 security P3 blocker --- 1 crux nobody rider qa-sisyphus oldest_to_newest 113837 0 crux 2010-10-16 12:53:56 +0400 The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/scilab-adv-cli line 280: LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH" /usr/bin/scilab-adv-cli line 459: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab-adv-cli line 518: LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/" /usr/bin/scilab-adv-cli line 534: LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH /usr/bin/scilab line 283: LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH" /usr/bin/scilab line 462: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab line 521: LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/" /usr/bin/scilab line 537: LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug. 113841 1 crux 2010-10-16 13:30:41 +0400 По сравнению с debian у нас в scilab из shell-скриптов есть только /usr/bin/scilab Там есть несколько точек с небезопасным изменением LD_LIBRARY_PATH: /usr/bin/scilab line 398: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab line 442: LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} В последнем случае лучше заменить на: LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} 115397 2 nbr 2010-11-16 23:33:39 +0300 Это не ко мне уже. Заодно исправьте ошибку с арифметическим переполнением при компиляции фортрана. 115406 3 vitty 2010-11-17 02:12:12 +0300 $ ssh git.alt acl sisyphus scilab show scilab nbr @everybody перевесьте пакет на nobody@ 203337 4 rider 2021-09-29 13:39:47 +0300 В scilab-6.1.1-alt1 есть обработка пустых значений переменных в LD_LIBRARY_PATH