Mirror of the lttng-dev mailing list
 help / color / mirror / Atom feed
From: compudj@krystal.dyndns.org (Mathieu Desnoyers)
Subject: [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin:	CVE-2010-3386: insecure library loading]
Date: Wed, 29 Sep 2010 11:47:49 -0400	[thread overview]
Message-ID: <20100929154749.GA11902@Krystal> (raw)
In-Reply-To: <4CA3584F.5000104@polymtl.ca>

* Alexandre Montplaisir (alexandre.montplaisir at polymtl.ca) wrote:
>
>
> On 10-09-29 09:47 AM, Mathieu Desnoyers wrote:
>> * Jon Bernard (jbernard at debian.org) wrote:
>>> I just received this bug report and wanted to forward it here to get any
>>> thoughts and/or opinions.
>>>
>>> -- 
>>> Jon
>>>
>>> ----- Forwarded message from Raphael Geissert<geissert at debian.org>  -----
>>>
>>> Date: Tue, 28 Sep 2010 04:23:22 +0000
>>> From: Raphael Geissert<geissert@debian.org>
>>> To: submit at bugs.debian.org
>>> Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading
>>> Reply-To: Raphael Geissert<geissert at debian.org>, 598309 at bugs.debian.org
>>>
>>> Package: ust-bin
>>> Version: 0.7-1
>>> Severity: grave
>>> Tags: security
>>> User: team at security.debian.org
>>> Usertags: ldpath
>>>
>>> Hello,
>>>
>>> During a review of the Debian archive, I've found your package to
>>> contain a script that can be abused by an attacker to execute arbitrary
>>> code.
>>>
>>> The vulnerability is introduced by an insecure change to
>>> LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
>>> libraries on a directory other than the standard paths.
>>>
>>> Vulnerable code follows:
>>>
>>> /usr/bin/usttrace line 136:
>>> 	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>>> /usr/bin/usttrace line 144:
>>> 	    export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}"
>> Changing this for something like the following should do the trick:
>>
>> if [ "x${LD_LIBRARY_PATH}" != "x" ]; then
>> 	export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${LIBUST_PATH%libust.so}"
>> else
>> 	export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}"
>> fi
>>
>
> Don't we still have the same problem, that if LD_LIBRARY_PATH *already*  
> contains a " " in the list, it will still be there after we append  
> LIBUST_PATH?

I think these "constrained" shells will disallow setting LD_LIBRARY_PATH
altogether from the shell, so we should not have to deal with a
LD_LIBRARY_PATH=" "

The problem comes when LD_LIBRARY_PATH is unset: in this case, usttrace
sets the new variable to   ":otherpath", where the ": part acts as if
the "./" path was in the path, which is the security issue.

> libust.so gets installed in /usr/lib for those who install the package.  
> For the others, don't we add an entry in ld.so.cache?

Not sure, this will require more discussion involving other usttrace
developers. For now, my job of patching the security issue is done. ;)

Thanks,

Mathieu

>
> Alexandre
>
>
>> (untested, but should do the trick)
>>
>> Note that I added extra braces ( ${} ) to delimit the variable more
>> clearly.
>>
>> Thanks,
>>
>> Mathieu
>>
>>
>>> When there's an empty item on the colon-separated list of
>>> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
>>> If the given script is executed from a directory where a potential,
>>> local, attacker can write files to, there's a chance to exploit this
>>> bug.
>>>
>>> This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure
>>> you mention it when forwarding this report to upstream and when fixing
>>> this bug (everywhere: upstream and here at Debian.)
>>>
>>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386
>>> [1] http://security-tracker.debian.org/tracker/CVE-2010-3386
>>>
>>> Sincerely,
>>> Raphael Geissert
>>>
>>>
>>>
>>> ----- End forwarded message -----
>>>
>>> _______________________________________________
>>> ltt-dev mailing list
>>> ltt-dev at lists.casi.polymtl.ca
>>> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev
>>>
>

-- 
Mathieu Desnoyers
Operating System Efficiency R&D Consultant
EfficiOS Inc.
http://www.efficios.com




  reply	other threads:[~2010-09-29 15:47 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-29 13:27 Jon Bernard
2010-09-29 13:32 ` David Goulet
2010-09-29 13:47 ` Mathieu Desnoyers
2010-09-29 15:16   ` Alexandre Montplaisir
2010-09-29 15:47     ` Mathieu Desnoyers [this message]
2010-09-29 15:06 ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) Mathieu Desnoyers
2010-09-29 16:32   ` David Goulet
2010-09-29 17:25     ` Mathieu Desnoyers
2010-09-29 18:57   ` Nils Carlson
2010-09-29 20:40     ` [ltt-dev] [UST] malloc error found by david Mathieu Desnoyers
2010-09-29 23:01       ` David Goulet
2010-09-30 19:21         ` Nils Carlson
2010-09-29 23:11     ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) David Goulet
2010-09-30 10:18   ` Nils Carlson
2010-09-30 14:49     ` [ltt-dev] [PATCH UST] Fix insecure library loading (Debian Bug #598309, CVE-2010-3386) (v2) Mathieu Desnoyers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100929154749.GA11902@Krystal \
    --to=compudj@krystal.dyndns.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox