Bug 639044 (CVE-2010-3389)

Summary: CVE-2010-3389 rgmanager: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andrew, bressers, cluster-maint, edamato, fdinitto, lhh, mgrac
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-07 09:00:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 639045, 671073, 705763, 710637    
Bug Blocks: 734217    

Description Vincent Danen 2010-09-30 17:01:12 UTC
Raphael Geissert conducted a review of various packages in Debian and found that cluster-agents contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, resource-agents contains rgmanager, which has the same scripts as Debian's cluster-agents.  /usr/share/cluster/SAPDatabase and /usr/share/cluster/SAPInstance both re-set LD_LIBRARY_PATH insecurely:

# as root user we need the library path to the SAP kernel to be able to call executables
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then 
  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
fi

A solution is to patch the scripts to properly set $LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

This issue has been assigned the name CVE-2010-3389.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549

Comment 1 Vincent Danen 2010-09-30 17:02:28 UTC
Created resource-agents tracking bugs for this issue

Affects: fedora-all [bug 639045]

Comment 3 Lon Hohberger 2011-01-20 19:43:17 UTC
I doublechecked that DIR_EXECUTABLE is always set to something when prior to the current resetting of LD_LIBRARY_PATH.

It is; consequently the patch, as more or less suggested, will work:

-  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+  LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+  export LD_LIBRARY_PATH

Comment 4 Vincent Danen 2011-01-31 15:55:28 UTC
Acknowledgements:

Red Hat would like to thank Raphael Geissert for reporting this issue.

Comment 5 Fabio Massimo Di Nitto 2011-02-08 08:06:46 UTC
http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec

Patch available upstream, will be part of the upcoming release/update

Comment 6 errata-xmlrpc 2011-02-16 15:09:31 UTC
This issue has been addressed in following products:

  CLuster Suite for RHEL 4

Via RHSA-2011:0264 https://rhn.redhat.com/errata/RHSA-2011-0264.html

Comment 9 errata-xmlrpc 2011-07-21 10:43:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1000 https://rhn.redhat.com/errata/RHSA-2011-1000.html

Comment 10 errata-xmlrpc 2011-07-21 12:29:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1000 https://rhn.redhat.com/errata/RHSA-2011-1000.html

Comment 11 errata-xmlrpc 2011-12-06 12:02:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1580 https://rhn.redhat.com/errata/RHSA-2011-1580.html