Bug 644596 (CVE-2010-4001)
| Summary: | CVE-2010-4001 gromacs: insecure library loading vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | junghans, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:57:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 644950 | ||
| Bug Blocks: | |||
Created gromacs tracking bugs for this issue Affects: fedora-all [bug 644950] MITRE has disputed this with the following note:
"NOTE: CVE disputes this issue because the GMXLDLIB value is always added to the beginning of LD_LIBRARY_PATH at a later point in the script."
This can be seen in the script:
61 # NB: The variables already begin with ':' now, or are empty
62 LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH}
Seems like a strange way to handle things, but doesn't introduce any insecurities. In fact, if nothing else, it does introduce a bug.
Using a slight variation of the script:
cat 1
#!/bin/sh
tmppath=""
GMXLDLIB="/usr/lib"
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do
if test "$i" != "$GMXLDLIB"; then
if test "${tmppath}" == ""; then
tmppath=$i
else
tmppath=${tmppath}:$i
fi
fi
done
LD_LIBRARY_PATH=$tmppath
LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH}
echo ${LD_LIBRARY_PATH}% % sh 1
/usr/lib
% LD_LIBRARY_PATH="" sh 1
/usr/lib
% LD_LIBRARY_PATH="/foo" sh 1
/usr/lib/foo
% LD_LIBRARY_PATH="/foo:/usr/lib:/bar" sh 1
/usr/lib/foo:/bar
But that isn't a security issue as GMXLDLIB always gets prefixed, but the path string gets munged badly. Probably better to have this in there instead:
if [ -z ${LD_LIBRARY_PATH} ]; then
LD_LIBRARY_PATH=${GMXLDLIB}
else
LD_LIBRARY_PATH=${GMXLDLIB}:${LD_LIBRARY_PATH}
fi
At any rate, I do agree with MITRE's assessment that this is not a security issue.
This has been fixed in 2016.1-2: * Fri Dec 23 2016 Christoph Junghans <junghans> - 2016.1-2 - drop dangerous GMXRC* - not needed when installed in /usr This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |
Ludwig Nussel discovered that gromacs contained a script that could be abused by an attacker to execute arbitrary code. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, /usr/bin/GMXRC.bash re-sets LD_LIBRARY_PATH insecurely: tmppath="" for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do if test "$i" != "$GMXLDLIB"; then tmppath=${tmppath}:$i fi done LD_LIBRARY_PATH=$tmppath One solution would be to do some shell monkey work (probably something easier but I can't think of it at the moment) like this: tmppath="" count=0 for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do if test "$i" != "$GMXLDLIB"; then if [ ${count} == 0 ]; then tmppath=$i else tmppath=${tmppath}:$i count=1 fi fi done That will avoid prefixing LD_LIBRARY_PATH with ":" if it's set.