Mirror of the lttng-dev mailing list
 help / color / mirror / Atom feed
* [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading]
@ 2010-09-29 13:27 Jon Bernard
  2010-09-29 13:32 ` David Goulet
                   ` (2 more replies)
  0 siblings, 3 replies; 15+ messages in thread
From: Jon Bernard @ 2010-09-29 13:27 UTC (permalink / raw)


I just received this bug report and wanted to forward it here to get any
thoughts and/or opinions.

-- 
Jon

----- Forwarded message from Raphael Geissert <geissert at debian.org> -----

Date: Tue, 28 Sep 2010 04:23:22 +0000
From: Raphael Geissert <geissert@debian.org>
To: submit at bugs.debian.org
Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading
Reply-To: Raphael Geissert <geissert at debian.org>, 598309 at bugs.debian.org

Package: ust-bin
Version: 0.7-1
Severity: grave
Tags: security
User: team at security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/usttrace line 136:
	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
/usr/bin/usttrace line 144:
	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
[1] http://security-tracker.debian.org/tracker/CVE-2010-3386

Sincerely,
Raphael Geissert



----- End forwarded message -----



^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2010-09-30 19:21 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-29 13:27 [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] Jon Bernard
2010-09-29 13:32 ` David Goulet
2010-09-29 13:47 ` Mathieu Desnoyers
2010-09-29 15:16   ` Alexandre Montplaisir
2010-09-29 15:47     ` Mathieu Desnoyers
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2010-09-29 16:32   ` David Goulet
2010-09-29 17:25     ` Mathieu Desnoyers
2010-09-29 18:57   ` Nils Carlson
2010-09-29 20:40     ` [ltt-dev] [UST] malloc error found by david Mathieu Desnoyers
2010-09-29 23:01       ` David Goulet
2010-09-30 19:21         ` Nils Carlson
2010-09-29 23:11     ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) David Goulet
2010-09-30 10:18   ` Nils Carlson
2010-09-30 14:49     ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) (v2) Mathieu Desnoyers

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox