Bug 638381 (CVE-2010-3355)
Summary: | CVE-2010-3355 ember: insecure library loading vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | atorkhov, bruno, wart |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-15 17:28:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 638382 | ||
Bug Blocks: |
Description
Vincent Danen
2010-09-28 22:03:35 UTC
Created ember tracking bugs for this issue Affects: fedora-all [bug 638382] This one-liner should work as an alternative to if-else-fi fix: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} This still seems to be the case with 0.6.0. Did this get reported upstream yet? Once I get commit access, I'll get this fixed in rawhide and F15 promptly. ember is FTBFS in F13 (not sure about F14) and I can't go to 0.6.0 because it needs ogre 1.7 which is not going to be available in F13 or F14. I might be able to go to 0.5.8, but this does seem to be pretty low risk and I may not get enough time to fix it before the problem is moot. There are no open or resolved cve bugs in ember's bug tracker, so it doesn't look like it has been reported to them. Hi Bruno. Do you have an account on upstream's bug tracker? If you do, would you mind filing a bug with them? It's very possible that this didn't make it's way upstream. No I don't. I also ended up fixing it a bit differently than they would. For Fedora no libs are produced for ember. It looks like that is really only needed when bundling libs which we don't do. So I commented the LD stuff out. Upstream may want to use the suggestions in this bug report. Also as a side note I was struggling with the FTBFS issues on F13 and F14 making it hard to just update the script. Going to 0.6.0 is right out. I don't know about 0.5.8. The code has some substantial differences and I am not sure of the library requirements. This has been corrected in ember-0.6.0-5.fc15, however Fedora 14 is still vulnerable to this. That's because ember is FTBFS in F14, making it hard to do the change. Upgrading major releases needs to be done carefully. I might have a better chance to get it to build now as I have some more practice with the WF stuff since I have been updating everything to the latest in rawhide. I did mention the issue upstream, but I don't think they did anything with it. I can check their git repo and submit a patch to their mailing list though. I have been talking to these guys a bit lately, so they'd probably look at it. |