Bug 644596 (CVE-2010-4001)

Summary: CVE-2010-4001 gromacs: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: junghans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20100929,reported=20100929,source=vendor-sec,impact=low,cvss2=3.7/AV:L/AC:H/Au:N/C:P/I:P/A:P,fedora-all/gromacs=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:57:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 644950    
Bug Blocks:    

Description Vincent Danen 2010-10-19 20:07:41 UTC
Ludwig Nussel discovered that gromacs contained a script that could be abused by an attacker to execute arbitrary code.

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/GMXRC.bash re-sets LD_LIBRARY_PATH insecurely:

tmppath=""
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do
  if test "$i" != "$GMXLDLIB"; then
    tmppath=${tmppath}:$i
  fi
done
LD_LIBRARY_PATH=$tmppath

One solution would be to do some shell monkey work (probably something easier but I can't think of it at the moment) like this:

tmppath=""
count=0
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do 
    if test "$i" != "$GMXLDLIB"; then
        if [ ${count} == 0 ]; then
            tmppath=$i
        else
            tmppath=${tmppath}:$i
            count=1
        fi 
    fi 
done

That will avoid prefixing LD_LIBRARY_PATH with ":" if it's set.

Comment 1 Vincent Danen 2010-10-20 16:28:43 UTC
Created gromacs tracking bugs for this issue

Affects: fedora-all [bug 644950]

Comment 2 Vincent Danen 2010-11-09 22:38:41 UTC
MITRE has disputed this with the following note:

"NOTE: CVE disputes this issue because the GMXLDLIB value is always added to the beginning of LD_LIBRARY_PATH at a later point in the script."

This can be seen in the script:

61 # NB: The variables already begin with ':' now, or are empty
62 LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH}

Seems like a strange way to handle things, but doesn't introduce any insecurities.  In fact, if nothing else, it does introduce a bug.

Using a slight variation of the script:

 cat 1
#!/bin/sh
tmppath=""
GMXLDLIB="/usr/lib"
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do
  if test "$i" != "$GMXLDLIB"; then
    if test "${tmppath}" == ""; then
      tmppath=$i
    else
    tmppath=${tmppath}:$i
  fi
  fi
done
LD_LIBRARY_PATH=$tmppath

LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH}

echo ${LD_LIBRARY_PATH}%                                                                                                                                                                                % sh 1                                     
/usr/lib
% LD_LIBRARY_PATH="" sh 1    
/usr/lib
% LD_LIBRARY_PATH="/foo" sh 1
/usr/lib/foo
% LD_LIBRARY_PATH="/foo:/usr/lib:/bar" sh 1
/usr/lib/foo:/bar

But that isn't a security issue as GMXLDLIB always gets prefixed, but the path string gets munged badly.  Probably better to have this in there instead:

if [ -z ${LD_LIBRARY_PATH} ]; then
    LD_LIBRARY_PATH=${GMXLDLIB}
else
    LD_LIBRARY_PATH=${GMXLDLIB}:${LD_LIBRARY_PATH}
fi


At any rate, I do agree with MITRE's assessment that this is not a security issue.

Comment 3 Christoph Junghans 2018-04-11 20:25:46 UTC
This has been fixed in 2016.1-2:

* Fri Dec 23 2016 Christoph Junghans <junghans@votca.org> - 2016.1-2
- drop dangerous GMXRC* - not needed when installed in /usr

Comment 4 Product Security DevOps Team 2019-06-10 10:57:22 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.