Bug 638381 (CVE-2010-3355)

Summary: CVE-2010-3355 ember: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: atorkhov, bruno, wart
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-15 17:28:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 638382    
Bug Blocks:    

Description Vincent Danen 2010-09-28 22:03:35 UTC 
Raphael Geissert conducted a review of various packages in Debian and found that ember contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/ember re-sets LD_LIBRARY_PATH insecurely:

LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY
LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH
export LD_LIBRARY
export LD_LIBRARY_PATH

A solution is to patch the script to test if $LD_LIBRARY_PATH is set first before attempting to modify it:

if [ -z ${LD_LIBRARY_PATH} ]; then
    export LD_LIBRARY_PATH=/usr/lib/foo
else
    export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH}
fi

This issue has been assigned the name CVE-2010-3355.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598288
Comment 1 Vincent Danen 2010-09-28 22:04:28 UTC 
Created ember tracking bugs for this issue

Affects: fedora-all [bug 638382]
Comment 2 Tomas Hoger 2010-09-29 07:44:20 UTC 
This one-liner should work as an alternative to if-else-fi fix:
export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Comment 3 Bruno Wolff III 2011-03-07 04:07:37 UTC 
This still seems to be the case with 0.6.0. Did this get reported upstream yet?
Once I get commit access, I'll get this fixed in rawhide and F15 promptly. ember is FTBFS in F13 (not sure about F14) and I can't go to 0.6.0 because it needs ogre 1.7 which is not going to be available in F13 or F14. I might be able to go to 0.5.8, but this does seem to be pretty low risk and I may not get enough time to fix it before the problem is moot.
Comment 4 Bruno Wolff III 2011-03-12 15:30:28 UTC 
There are no open or resolved cve bugs in ember's bug tracker, so it doesn't look like it has been reported to them.
Comment 5 Vincent Danen 2011-03-14 16:40:22 UTC 
Hi Bruno.  Do you have an account on upstream's bug tracker?  If you do, would you mind filing a bug with them?  It's very possible that this didn't make it's way upstream.
Comment 6 Bruno Wolff III 2011-03-14 17:17:55 UTC 
No I don't. I also ended up fixing it a bit differently than they would. For Fedora no libs are produced for ember. It looks like that is really only needed when bundling libs which we don't do. So I commented the LD stuff out. Upstream may want to use the suggestions in this bug report.

Also as a side note I was struggling with the FTBFS issues on F13 and F14 making it hard to just update the script. Going to 0.6.0 is right out. I don't know about 0.5.8. The code has some substantial differences and I am not sure of the library requirements.
Comment 7 Vincent Danen 2011-05-31 17:58:42 UTC 
This has been corrected in ember-0.6.0-5.fc15, however Fedora 14 is still vulnerable to this.
Comment 8 Bruno Wolff III 2011-05-31 18:56:50 UTC 
That's because ember is FTBFS in F14, making it hard to do the change. Upgrading major releases needs to be done carefully. I might have a better chance to get it to build now as I have some more practice with the WF stuff since I have been updating everything to the latest in rawhide.

I did mention the issue upstream, but I don't think they did anything with it. I can check their git repo and submit a patch to their mailing list though. I have been talking to these guys a bit lately, so they'd probably look at it.