Bug 645471 (CVE-2010-3364)

Summary: CVE-2010-3364 vips: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adam, bgilbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-17 08:51:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 645472    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-21 15:02:25 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3364 to
the following vulnerability:

The vips-7.22 script in VIPS 7.22.2 places a zero-length directory
name in the LD_LIBRARY_PATH, which allows local users to gain
privileges via a Trojan horse shared library in the current working
directory.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598296

Affected versions:
=================
This issue affects the versions of the vips package, as shipped with
Fedora of release:
1, 12. Relevant script is in BUILD/vips-7.18.2/src/scripts/vips-7.18
   Affected code line being:

     108         export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

2, 13. Relevant script is in BUILD/vips-7.20.7/tools/scripts/vips-7.20
   Affected code line being:

     108         export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

   The above used re-setting of LD_LIBRARY_PATH variable is insecure.

Tomas Hoger suggests (https://bugzilla.redhat.com/show_bug.cgi?id=638384#c2)
the following one-liner as a solution:

  export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

You can also query Red Hat Bugzilla system for "insecure library loading 
vulnerability" string, to get further information about all affected packages
and particular patches.

F-14 and F-15 pre-versions of vips (vips-7.22.2-1.fc14.2 and vips-7.22.2-3.fc15)
are affected by this deficiency too, just the particular vulnerable script has
different name and location.
Comment 1 Jan Lieskovsky 2010-10-21 15:06:38 UTC 
Created vips tracking bugs for this issue

Affects: fedora-all [bug 645472]
Comment 2 Benjamin Gilbert 2013-01-17 08:51:19 UTC 
All currently-supported versions of Fedora ship a newer vips without this vulnerability.