ALT Linux Bugzilla – Full Text Bug Listing
| Summary: | CVE-2010-3378: insecure library loading | ||
|---|---|---|---|
| Product: | Sisyphus | Reporter: | Vladimir Lettiev <crux> |
| Component: | scilab | Assignee: | Nobody's working on this, feel free to take it <nobody> |
| Status: | CLOSED FIXED | QA Contact: | qa-sisyphus |
| Severity: | blocker | ||
| Priority: | P3 | CC: | rider |
| Version: | unstable | Keywords: | security |
| Hardware: | all | ||
| OS: | Linux | ||
| URL: | http://bugs.debian.org/598422 | ||
По сравнению с debian у нас в scilab из shell-скриптов есть только /usr/bin/scilab
Там есть несколько точек с небезопасным изменением LD_LIBRARY_PATH:
/usr/bin/scilab line 398: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab line 442:
LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
В последнем случае лучше заменить на:
LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Это не ко мне уже. Заодно исправьте ошибку с арифметическим переполнением при компиляции фортрана. $ ssh git.alt acl sisyphus scilab show scilab nbr @everybody перевесьте пакет на nobody@ В scilab-6.1.1-alt1 есть обработка пустых значений переменных в LD_LIBRARY_PATH |
The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/scilab-adv-cli line 280: LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH" /usr/bin/scilab-adv-cli line 459: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab-adv-cli line 518: LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/" /usr/bin/scilab-adv-cli line 534: LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH /usr/bin/scilab line 283: LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH" /usr/bin/scilab line 462: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH" /usr/bin/scilab line 521: LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/" /usr/bin/scilab line 537: LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this bug.