Bug#598421: salome: CVE-2010-3377: insecure library loading

Adam C Powell IV hazelsct at debian.org
Thu Sep 30 03:01:00 UTC 2010 

Hello,

On Tue, 2010-09-28 at 21:07 +0000, Raphael Geissert wrote:
> Package: salome
> Version: 5.1.3-9
> Severity: grave
> Tags: security
> User: team at security.debian.org
> Usertags: ldpath
> 
> Hello,
> 
> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
> 
> The vulnerability is introduced by an insecure change to
> LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
> libraries on a directory other than the standard paths.

Thank you, I'm glad your review found this.

Would a secure change omit the former LD_LIBRARY_PATH?  That is, would
it fix this in runSalome to say:

export LD_LIBRARY_PATH=${prefix}/lib:${libdir}:/usr/lib:/usr/local/lib
?

The prefix and libdir variables are set elsewhere in runSalome, so I
don't think one could override those...  But if it could be a problem,
I'll have that script hard-code them instead.

> Vulnerable code follows:
> 
> /usr/bin/runSalome line 28:
> export LD_LIBRARY_PATH=${prefix}/lib:${libdir}:$LD_LIBRARY_PATH
> /usr/bin/runTestMedCorba line 29:
>   export LD_LIBRARY_PATH=$MED_ROOT_DIR/lib/salome:${LD_LIBRARY_PATH}
> /usr/bin/runTestMedCorba line 37:
>   export LD_LIBRARY_PATH=$MED_ROOT_DIR/lib/salome:${LD_LIBRARY_PATH}
> 
> Possibly vulnerable too:
> /usr/lib/salome/bin/runLightSalome line 139:
>     export LD_LIBRARY_PATH=${MY_LD_LIBRARY_PATH}:${LD_LIBRARY_PATH}
> /usr/lib/salome/bin/hxx2salome line 329:
> 	    echo -e "setenv LD_LIBRARY_PATH \${${CLASS_NAME}CPP_ROOT_DIR}${lib_dir#${CPP_ROOT_DIR}}:\${LD_LIBRARY_PATH}" >> ${ENVIRON_FILE}
> /usr/lib/salome/bin/hxx2salome line 351:
> 	    echo -e "export LD_LIBRARY_PATH=\${${CLASS_NAME}CPP_ROOT_DIR}${lib_dir#${CPP_ROOT_DIR}}:\${LD_LIBRARY_PATH}" \
> 	    >> ${ENVIRON_FILE}

I see a couple of other bugs in those lines as well...  Okay, a lot of
work to do, but starting with fixing the security issue, as soon as I
hear my fix idea above.

> When there's an empty item on the colon-separated list of
> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> If the given script is executed from a directory where a potential,
> local, attacker can write files to, there's a chance to exploit this
> bug.
> 
> This vulnerability has been assigned the CVE id CVE-2010-3377. Please make sure
> you mention it when forwarding this report to upstream and when fixing
> this bug (everywhere: upstream and here at Debian.)
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3377
> [1] http://security-tracker.debian.org/tracker/CVE-2010-3377

Thanks, I'll make sure upstream knows about this.

-Adam
-- 
GPG fingerprint: D54D 1AEE B11C CE9B A02B  C5DD 526F 01E8 564E E4B6

Engineering consulting with open source tools
http://www.opennovation.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/debian-science-maintainers/attachments/20100929/87370f6e/attachment-0001.pgp>

More information about the debian-science-maintainers mailing list