Bug 469657 (CVE-2008-4865)

Summary: CVE-2008-4865 valgrind: .valgrindrc loaded from untrusted locations
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, jakub, rbu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4865
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-11 14:24:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch, mentioned in the previous comment none

Description Tomas Hoger 2008-11-03 09:50:13 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4865 to the following vulnerability:

Untrusted search path vulnerability in valgrind allows local users to
execute arbitrary programs via a Trojan horse .valgrindrc file in the
current working directory, as demonstrated using a malicious
--db-command options. NOTE: the severity of this issue has been
disputed, but CVE is including this issue because execution of a
program from an untrusted directory is a common scenario.

References:
http://www.openwall.com/lists/oss-security/2008/10/27/4
Comment 1 Tomas Hoger 2008-11-03 09:57:04 UTC 
As a side note:
Similar issue was reported in the past for gdb and its handling of .gdbinit file and was assigned CVE id CVE-2005-1705:

  http://bugs.gentoo.org/show_bug.cgi?id=88398 (Tavis' report)

Current gdb versions apply certain checks on .gdbinit file before using it.  File is rejected as untrusted, when it's group-writeable, or owned by different user.  This eliminates vector when malicious local user tricks victim to run gdb in specially crafted directory, but does not eliminate the "tarball with 'your app crash on this input file' along with malicious init file" vector.  There currently does not seem to be any good way to address this without breaking the init file feature completely.
Comment 2 Robert Buchholz 2009-01-05 02:11:02 UTC 
This has been resolved in 3.4 or r8798:

$ svn log -c 8798 svn://svn.valgrind.org/valgrind/trunk
------------------------------------------------------------------------
r8798 | dirk | 2008-11-22 13:03:19 +0100 (Sat, 22 Nov 2008) | 3 lines

ignore .valgrindrc files that are world writeable
or not owned by the current user (CVE-2008-4865)

------------------------------------------------------------------------
Comment 3 Tomas Hoger 2009-01-08 10:07:08 UTC 
Created attachment 328455 [details]
Upstream patch, mentioned in the previous comment

svn diff -c 8798 svn://svn.valgrind.org/valgrind/trunk
Comment 4 Tomas Hoger 2009-02-03 10:58:57 UTC 
Fix is now included in new upstream version - 3.4:
  http://valgrind.org/docs/manual/dist.news.html
Comment 6 Tomas Hoger 2009-02-05 09:13:52 UTC 
This issue affect version of valgrind as shipped in Red Hat Enterprise Linux 4 and 5, as well as current Fedora versions (9, 10).

This issue has been rated as having low security impact, future update may address this flaw.
Comment 7 Tomas Hoger 2011-02-17 15:28:29 UTC 
The valgrind packages were rebased in Red Hat Enterprise Linux 5.5 to upstream version 3.5.0, which contains the patch mentioned above that prevents reading world-writeable or not owned .valgrindrc:
  http://rhn.redhat.com/errata/RHEA-2010-0272.html