From mboxrd@z Thu Jan 1 00:00:00 1970 From: compudj@krystal.dyndns.org (Mathieu Desnoyers) Date: Wed, 29 Sep 2010 09:47:11 -0400 Subject: [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] In-Reply-To: <20100929132755.GA20790@starquasia> References: <20100929132755.GA20790@starquasia> Message-ID: <20100929134710.GA29500@Krystal> * Jon Bernard (jbernard at debian.org) wrote: > I just received this bug report and wanted to forward it here to get any > thoughts and/or opinions. > > -- > Jon > > ----- Forwarded message from Raphael Geissert ----- > > Date: Tue, 28 Sep 2010 04:23:22 +0000 > From: Raphael Geissert > To: submit at bugs.debian.org > Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading > Reply-To: Raphael Geissert , 598309 at bugs.debian.org > > Package: ust-bin > Version: 0.7-1 > Severity: grave > Tags: security > User: team at security.debian.org > Usertags: ldpath > > Hello, > > During a review of the Debian archive, I've found your package to > contain a script that can be abused by an attacker to execute arbitrary > code. > > The vulnerability is introduced by an insecure change to > LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for > libraries on a directory other than the standard paths. > > Vulnerable code follows: > > /usr/bin/usttrace line 136: > export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}" > /usr/bin/usttrace line 144: > export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}" Changing this for something like the following should do the trick: if [ "x${LD_LIBRARY_PATH}" != "x" ]; then export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${LIBUST_PATH%libust.so}" else export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}" fi (untested, but should do the trick) Note that I added extra braces ( ${} ) to delimit the variable more clearly. Thanks, Mathieu > > When there's an empty item on the colon-separated list of > LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) > If the given script is executed from a directory where a potential, > local, attacker can write files to, there's a chance to exploit this > bug. > > This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure > you mention it when forwarding this report to upstream and when fixing > this bug (everywhere: upstream and here at Debian.) > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386 > [1] http://security-tracker.debian.org/tracker/CVE-2010-3386 > > Sincerely, > Raphael Geissert > > > > ----- End forwarded message ----- > > _______________________________________________ > ltt-dev mailing list > ltt-dev at lists.casi.polymtl.ca > http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev > -- Mathieu Desnoyers Operating System Efficiency R&D Consultant EfficiOS Inc. http://www.efficios.com