Bug 1044846 (CVE-2013-7172)

Summary: CVE-2013-7172 libiodbc: insecure RPATH in certain binaries
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pfrields, rdieter, than, vdanen, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-19 05:42:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Murray McAllister 2013-12-19 05:41:58 UTC 
It was reported that the iodbctest and iodbctestw tools provided by the libiodbc package had an insecure RPATH (/tmp/) entry:

http://seclists.org/bugtraq/2013/Dec/93

This could lead to arbitrary code execution with the privileges of the user running the affected tools.

This issue did not affect the libiodbc packages in Fedora or EPEL, as the packages are built in /buildir/ and not /tmp/.

CVE request: http://seclists.org/oss-sec/2013/q4/525
Comment 1 Murray McAllister 2013-12-20 03:45:15 UTC 
CVE-2013-7172 was assigned to this issue: http://seclists.org/oss-sec/2013/q4/527
Comment 2 Rex Dieter 2013-12-20 19:09:22 UTC 
As an addendum to comment #1 about fedora/epel packages not being vulnerable, we explicitly delete the rpaths from the binaries in question as part of the build process (using chrpath --delete)