Bug#598308: vdr-dbg: CVE-2010-3387: insecure library loading (NMU 1.6.0-19.1)
Jari Aalto
jari.aalto at cante.net
Mon Oct 18 11:46:03 UTC 2010
Julien Cristau <jcristau at debian.org> writes:
> On Mon, Oct 18, 2010 at 13:42:43 +0300, Jari Aalto wrote:
>
>> + * debian/vdrleaktest
>> + - Remove extra colon from LD_LIBRARY_PATH and improve security
>> + by cleaning LD_LIBRARY_PATH with new function Pathclean().
>> + (normal, security, reopened; Closes: #598308).
>> +
>
> That's not "improve security", that's "add obfuscation". Just remove
> the freaking colon...
Removing the colon does not address this:
(
LD_LIBRARY_PATH="::"
LD_LIBRARY_PATH="/usr/lib/debug${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
echo $LD_LIBRARY_PATH
)
# /usr/lib/debug:::
as far as security is concerned:
(
Pathclean ()
{
# Vulnerability fix for insecure library loading
# Make sure "::", "^:" or ":$" is not left in path arg $1
local tmp123xyz
tmp123xyz=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
[ "$tmp123xyz" ] && echo "$tmp123xyz"
}
LD_LIBRARY_PATH="::"
LD_LIBRARY_PATH="/usr/lib/debug${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
echo "before: $LD_LIBRARY_PATH"
echo -n "after: "
Pathclean "$LD_LIBRARY_PATH"
)
# before: /usr/lib/debug:::
# after: /usr/lib/debug
Raphael, you reported the CVE. Do you have any thoughts?
Jari
P.s noticed a slight bug in resent NMU concerning Pathclean().
More information about the pkg-vdr-dvb-devel
mailing list