Bug 24333 - CVE-2010-3385: insecure library loading
: CVE-2010-3385: insecure library loading
Status: CLOSED FIXED
: Sisyphus
(All bugs in Sisyphus/tuxguitar)
: unstable
: all Linux
: P3 blocker
Assigned To:
:
: http://bugs.debian.org/598307
: security
:
:
  Show dependency tree
 
Reported: 2010-10-16 12:49 by
Modified: 2011-10-12 03:17 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2010-10-16 12:49:07
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/tuxguitar line 129:
        export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$MOZILLA_FIVE_HOME"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
------- Comment #1 From 2010-10-16 13:34:19 -------
Не понял, мне прислать патч для ld.so, чтобы он пустое поле не считал '.' ?
------- Comment #2 From 2010-10-16 13:43:18 -------
:)
Разговоры об этом идут давно, но ещё никто не смог протащить такое в апстрим.

Правильнее обернуть так:
export
LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$MOZILLA_FIVE_HOME"
------- Comment #3 From 2011-10-12 02:17:19 -------
В данном скрипте LD_LIBRARY_PATH не может быть пустой из-за строки выше:
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}/usr/lib/tuxguitar/
------- Comment #4 From 2011-10-12 03:17:21 -------
tuxguitar-1.2-alt2 -> sisyphus:

* Tue Oct 11 2011 Vitaly Lipatov <lav@altlinux> 1.2-alt2
- fix CVE-2010-3385: insecure library loading (ALT bug #24333)