Bug#598308: vdr-dbg: CVE-2010-3387: insecure library loading
Julien Cristau
jcristau at debian.org
Tue Sep 28 14:36:06 UTC 2010
On Tue, Sep 28, 2010 at 04:23:26 +0000, Raphael Geissert wrote:
> Package: vdr-dbg
> Version: 1.6.0-18
> Severity: grave
> Tags: security
> User: team at security.debian.org
> Usertags: ldpath
>
> Hello,
>
> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
>
> The vulnerability is introduced by an insecure change to
> LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
> libraries on a directory other than the standard paths.
>
> Vulnerable code follows:
>
> /usr/bin/vdrleaktest line 73:
> LANG=C LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" \
> valgrind --tool=memcheck --leak-check=yes --num-callers=20 \
> --suppressions=/usr/share/vdr/valgrind.supp \
> /usr/bin/vdr-dbg -v $VIDEO_DIR -c $CFG_DIR -L $PLUGIN_DIR -r $REC_CMD \
> -E $EPG_FILE -g /tmp $OPTIONS --port $SVDRP_PORT --lirc \
> "$@"
>
> When there's an empty item on the colon-separated list of
> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> If the given script is executed from a directory where a potential,
> local, attacker can write files to, there's a chance to exploit this
> bug.
>
LD_LIBRARY_PATH is colon-separated, though, not semicolon-separated, so
LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" is broken, but not a
security issue. Besides, this looks like a debugging utility so I don't
think it would warrant 'grave' severity even if the bug was there.
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-vdr-dvb-devel/attachments/20100928/b9e5691f/attachment.pgp>
More information about the pkg-vdr-dvb-devel
mailing list