Bug 638429 (CVE-2010-3353)

Summary: CVE-2010-3353 cowbell: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Reopened, Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 20:32:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 638431    
Bug Blocks:    

Description Vincent Danen 2010-09-29 00:28:05 UTC 
Raphael Geissert conducted a review of various packages in Debian and found that cowbell contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/cowbell re-sets LD_LIBRARY_PATH insecurely:

export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

A solution is to patch the script to test if $LD_LIBRARY_PATH is set first before attempting to modify it:

if [ -z ${LD_LIBRARY_PATH} ]; then
    export LD_LIBRARY_PATH=/usr/lib/foo
else
    export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH}
fi

This issue has been assigned the name CVE-2010-3353.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286
Comment 1 Vincent Danen 2010-09-29 00:29:41 UTC 
Created cowbell tracking bugs for this issue

Affects: fedora-all [bug 638431]
Comment 2 Tomas Hoger 2010-09-29 07:44:35 UTC 
This one-liner should work as an alternative to if-else-fi fix:
export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
Comment 3 Thomas Janssen 2011-02-09 09:26:34 UTC 
According to the colleagues from Debian project, there's no vulnerability.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#55

I'm closing it as they did. Feel free to reopen and explain why.
Comment 4 Tomas Hoger 2011-02-09 10:02:31 UTC 
There is one uncommon case when ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} does the wrong thing - if you export empty LD_LIBRARY_PATH.  This setting itself is harmless and will not trigger library search relative to CWD.

$ touch libc.so.6

$ export LD_LIBRARY_PATH=

$ /bin/true

But ${foo+} and ${foo:+} expansion is different and may lead to non-empty LD_L_P with empty path component.

$ cat blah.sh 
#!/bin/sh
libdir="/usr/lib/cowbell"
export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
echo $LD_LIBRARY_PATH
/bin/true

$ ./blah.sh 
/usr/lib/cowbell:
/bin/true: error while loading shared libraries: libc.so.6: file too short

And the same with the ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}:

$ ./blah.sh 
/usr/lib/cowbell

So while exported empty LD_L_P is uncommon, it seems reasonable to fix at least rawhide and not do update for released Fedora versions given the limited impact.

FYI, openoffice.org had the same issue fixed recently too - see bug #641224.
Comment 5 Tomas Hoger 2011-02-09 10:05:06 UTC 
(In reply to comment #4)
> And the same with the ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}:

${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} that should be...
Comment 6 Tomas Hoger 2011-02-09 10:20:28 UTC 
(In reply to comment #3)
> According to the colleagues from Debian project, there's no vulnerability.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#55

Debian BTS does not allow me to post follow up on that bug, mail is rejected with "550 Unknown or archived bug" error.
Comment 7 Thomas Janssen 2011-02-09 10:26:48 UTC 
Ok, thanks for the explanation. I will fix it in rawhide.

I will also ping the Debian maintainer.
Comment 8 Vincent Danen 2011-06-14 16:55:04 UTC 
From what I can tell, this has still not been corrected in Fedora.  Can this be taken care of?  It's a fairly minor fix.
Comment 9 Vincent Danen 2013-05-08 20:32:30 UTC 
This cowbell package is no longer available in Fedora, closing.