Bug 484065 (CVE-2009-0415)
Summary: | CVE-2009-0415 trickle: Possibility to load arbitrary code from current working directory | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NEXTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | manuel.wolfshant, mtasaka, nicoleau.fabien |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513456 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-02-25 21:11:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2009-02-04 16:07:41 UTC
This issue affects all versions of the trickle package, as shipped with Fedora releases of 9, 10 and devel. Please fix. As the package provides trickle-overload.so in %libdir/trickle/ , I think I can juste patch trickle.c and change : char *trypaths[] = { LIBNAME, LIBDIR "/" LIBNAME, NULL }; to char *trypaths[] = { LIBDIR "/" LIBNAME, NULL }; seems ok to me ! or perhaps just change priority: char *trypaths[] = { LIBDIR "/" LIBNAME, LIBNAME, NULL }; As no patch seems available atm, I'll remove "LIBNAME" from "trypath" Don't know why bodhi did not update this bug. The update is available for F9 and F10 in updates-testing repository Looking at the change that was used: http://cvs.fedoraproject.org/viewvc/rpms/trickle/devel/trickle.spec?r1=1.3&r2=1.4 This fix looks quite fragile to me, as any future change to the trickle.c (e.g. future version update) can easily cause the offending line to change it's position in the file and result it deletion some other line (that may or may not be caught during the compile). Regex-controlled deletion may be slightly better, standalone diff still sounds like the safest alternative. That's true. I pushed a new release with a patch instead of a sed. trickle-1.07-7.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. trickle-1.07-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. It seems that koji does not close this bug, so I do it myself. |