From mboxrd@z Thu Jan 1 00:00:00 1970 From: alexandre.montplaisir@polymtl.ca (Alexandre Montplaisir) Date: Wed, 29 Sep 2010 11:16:31 -0400 Subject: [ltt-dev] [geissert@debian.org: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading] In-Reply-To: <20100929134710.GA29500@Krystal> References: <20100929132755.GA20790@starquasia> <20100929134710.GA29500@Krystal> Message-ID: <4CA3584F.5000104@polymtl.ca> On 10-09-29 09:47 AM, Mathieu Desnoyers wrote: > * Jon Bernard (jbernard at debian.org) wrote: >> I just received this bug report and wanted to forward it here to get any >> thoughts and/or opinions. >> >> -- >> Jon >> >> ----- Forwarded message from Raphael Geissert ----- >> >> Date: Tue, 28 Sep 2010 04:23:22 +0000 >> From: Raphael Geissert >> To: submit at bugs.debian.org >> Subject: Bug#598309: ust-bin: CVE-2010-3386: insecure library loading >> Reply-To: Raphael Geissert, 598309 at bugs.debian.org >> >> Package: ust-bin >> Version: 0.7-1 >> Severity: grave >> Tags: security >> User: team at security.debian.org >> Usertags: ldpath >> >> Hello, >> >> During a review of the Debian archive, I've found your package to >> contain a script that can be abused by an attacker to execute arbitrary >> code. >> >> The vulnerability is introduced by an insecure change to >> LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for >> libraries on a directory other than the standard paths. >> >> Vulnerable code follows: >> >> /usr/bin/usttrace line 136: >> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}" >> /usr/bin/usttrace line 144: >> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${LIBUST_PATH%libust.so}" > Changing this for something like the following should do the trick: > > if [ "x${LD_LIBRARY_PATH}" != "x" ]; then > export LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${LIBUST_PATH%libust.so}" > else > export LD_LIBRARY_PATH="${LIBUST_PATH%libust.so}" > fi > Don't we still have the same problem, that if LD_LIBRARY_PATH *already* contains a " " in the list, it will still be there after we append LIBUST_PATH? libust.so gets installed in /usr/lib for those who install the package. For the others, don't we add an entry in ld.so.cache? Alexandre > (untested, but should do the trick) > > Note that I added extra braces ( ${} ) to delimit the variable more > clearly. > > Thanks, > > Mathieu > > >> When there's an empty item on the colon-separated list of >> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) >> If the given script is executed from a directory where a potential, >> local, attacker can write files to, there's a chance to exploit this >> bug. >> >> This vulnerability has been assigned the CVE id CVE-2010-3386. Please make sure >> you mention it when forwarding this report to upstream and when fixing >> this bug (everywhere: upstream and here at Debian.) >> >> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3386 >> [1] http://security-tracker.debian.org/tracker/CVE-2010-3386 >> >> Sincerely, >> Raphael Geissert >> >> >> >> ----- End forwarded message ----- >> >> _______________________________________________ >> ltt-dev mailing list >> ltt-dev at lists.casi.polymtl.ca >> http://lists.casi.polymtl.ca/cgi-bin/mailman/listinfo/ltt-dev >>