[Debian-ha-maintainers] Bug#598549: [Linux-ha-dev] Fwd: Bug#598549: cluster-agents: CVE-2010-3389: insecure library loading

[Aníbal Monsalve Salazar]

On Sat, Oct 02, 2010 at 12:22:41AM +0900, Simon Horman wrote:
>On Fri, Oct 01, 2010 at 07:55:02PM +1000, Aníbal Monsalve Salazar wrote:
>>On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote:
>>>I received this through the Debian bug tracker.
>>>Its not immediately clear to me what an appropriate fix would be.
>>
>>The following diff shows how I fixed the "qtparted: CVE-2010-3375:
>>insecure library loading" bug.
>>
>>-export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
>>+LD_LIBRARY_PATH=$( echo "$LD_LIBRARY_PATH" | sed "s/\s//g" )
>>+if [ -n "$LD_LIBRARY_PATH" ]
>>+then
>>+      export LD_LIBRARY_PATH="$QTDIR/lib:$LD_LIBRARY_PATH"
>>+else
>>+      export LD_LIBRARY_PATH="$QTDIR/lib"
>>+fi
>> export PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH
>>
>>Please note that if you also set PATH as above, you'll have to check
>>$PATH before adding it with ":$PATH" to PATH.
>>
>>if $PATH is empty then ":$PATH" is equivalent to ":." and you don't want
>>to add "." to the path search.
>>
>
>Thanks Aníbal,
>
>poking a little further it seems that the problem has been addressed
>by the following recent upstream patch. Do you have any thoughts on it?
>
># HG changeset patch
># User Dejan Muhamedagic <dejan at hello-penguin.com>
># Date 1284894558 -7200
># Node ID 2773e5850003fb90995a27811752224fde96c2b7
># Parent  9d67fff01b34e87b6a855f1ea9b8a8accb771680
>Low: SAPDatabase,SAPInstance: improve LD_LIBRARY_PATH processing (bnc#640026)
>
>diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPDatabase
>--- a/heartbeat/SAPDatabase	Thu Sep 16 09:48:04 2010 +0200
>+++ b/heartbeat/SAPDatabase	Sun Sep 19 13:09:18 2010 +0200
>@@ -967,7 +967,8 @@
> 
> # as root user we need the library path to the SAP kernel to be able to call executables
> if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
>-  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
>+  LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
>+  export LD_LIBRARY_PATH
> fi
> sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"
> 
>diff -r 9d67fff01b34 -r 2773e5850003 heartbeat/SAPInstance
>--- a/heartbeat/SAPInstance	Thu Sep 16 09:48:04 2010 +0200
>+++ b/heartbeat/SAPInstance	Sun Sep 19 13:09:18 2010 +0200
>@@ -297,7 +297,8 @@
> 
>   # as root user we need the library path to the SAP kernel to be able to call sapcontrol
>   if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then
>-    LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
>+    LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
>+    export LD_LIBRARY_PATH
>   fi
> 
>   sidadm="`echo $SID | tr [:upper:] [:lower:]`adm"

DIR_EXECUTABLE=/tmp/bin; LD_LIBRARY_PATH=/tmp/lib:/var/tmp/lib; LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ DIR_EXECUTABLE=/tmp/bin
+ LD_LIBRARY_PATH=/tmp/lib:/var/tmp/lib
+ LD_LIBRARY_PATH=/tmp/bin:/tmp/lib:/var/tmp/lib

It works if LD_LIBRARY_PATH is well defined (see above) but it doesn't
(still vulnerable) if LD_LIBRARY_PATH has a space or a ':' only (see
below).

DIR_EXECUTABLE=/tmp/bin; LD_LIBRARY_PATH=' '; LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ DIR_EXECUTABLE=/tmp/bin
+ LD_LIBRARY_PATH=' '
+ LD_LIBRARY_PATH='/tmp/bin: '

DIR_EXECUTABLE=/tmp/bin; LD_LIBRARY_PATH=':'; LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH
+ DIR_EXECUTABLE=/tmp/bin
+ LD_LIBRARY_PATH=:
+ LD_LIBRARY_PATH=/tmp/bin::