Bug 24334 - CVE-2010-3378: insecure library loading
Summary: CVE-2010-3378: insecure library loading
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: scilab (show other bugs)
Version: unstable
Hardware: all Linux
: P3 blocker
Assignee: Nobody's working on this, feel free to take it
QA Contact: qa-sisyphus
URL: http://bugs.debian.org/598422
Keywords: security
Depends on:
Blocks:
 
Reported: 2010-10-16 12:53 MSD by Vladimir Lettiev
Modified: 2021-09-29 13:39 MSK (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2010-10-16 12:53:56 MSD
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/scilab-adv-cli line 280:
                    LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH"
/usr/bin/scilab-adv-cli line 459:
		    LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab-adv-cli line 518:
        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/"
/usr/bin/scilab-adv-cli line 534:
LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH
/usr/bin/scilab line 283:
                    LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH"
/usr/bin/scilab line 462:
		    LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab line 521:
        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/"
/usr/bin/scilab line 537:
LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
Comment 1 Vladimir Lettiev 2010-10-16 13:30:41 MSD
По сравнению с debian у нас в scilab из shell-скриптов есть только /usr/bin/scilab
Там есть несколько точек с небезопасным изменением LD_LIBRARY_PATH:

/usr/bin/scilab line 398: LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"

/usr/bin/scilab line 442:
LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

В последнем случае лучше заменить на:
LD_LIBRARY_PATH=$SCILIB${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Comment 2 nbr 2010-11-16 23:33:39 MSK
Это не ко мне уже.
Заодно исправьте ошибку с арифметическим переполнением при компиляции фортрана.
Comment 3 Vitaly Kuznetsov 2010-11-17 02:12:12 MSK
$ ssh git.alt acl sisyphus scilab show     
scilab	nbr @everybody

перевесьте пакет на nobody@
Comment 4 Anton Farygin 2021-09-29 13:39:47 MSK
В scilab-6.1.1-alt1 есть обработка пустых значений переменных в LD_LIBRARY_PATH