Bug 645481 (CVE-2010-3376)

Summary: CVE-2010-3376 root: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mattias.ellert, steve.traylen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-22 09:08:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 645483    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-21 15:34:10 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3376 to
the following vulnerability:

The (1) proofserv, (2) xrdcp, (3) xrdpwdadmin, and (4) xrd scripts in
ROOT 5.18/00 place a zero-length directory name in the
LD_LIBRARY_PATH, which allows local users to gain privileges via a
Trojan horse shared library in the current working directory.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3376
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598419
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598420


Affected versions:
=================
This issue affects the versions of the root package, as shipped with
Fedora of release 12 and 13. Relevant scripts are in:

  BUILD/root-5.26.00d/config

One sample occurrence of insecure LD_LIBRARY_PATH re-set is in:

  BUILD/root-5.26.00d/config/xrootd.in:

    44         export LD_LIBRARY_PATH=$XRDLIBS:$LD_LIBRARY_PATH

  The above used re-setting of LD_LIBRARY_PATH variable is insecure.

Tomas Hoger suggests (https://bugzilla.redhat.com/show_bug.cgi?id=638384#c2)
the following one-liner as a solution:

  export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

You can also query Red Hat Bugzilla system for "insecure library loading
vulnerability" string, to get further information about all affected packages
and particular patches.

Also, prior scheduling particular "root" package Fedora v12 and v13 updates,
please check the whole content of the src.rpm package for similar deficiencies
via:

  grep -A2 -B2 -rHn "LD_LIBRARY_PATH" * | more

and fix (with above one-liner all of the insecure occurrences).
Comment 1 Jan Lieskovsky 2010-10-21 15:40:58 UTC 
Created root tracking bugs for this issue

Affects: fedora-all [bug 645483]
Comment 2 Mattias Ellert 2010-10-22 09:08:13 UTC 
This CVE is about a vulnerability in shell wrappers around some commands that
are used in the Debian packages. These wrappers are specific to Debian and the
vulnerability therefore does not affect Fedora.

According to the CVE the affected files (in Debian) are:

/usr/bin/proofserv
/usr/bin/xrdcp
/usr/bin/xrdpwdadmin
/usr/bin/xrd

The Fedora package uses the default wrapper from upstream for
/usr/bin/proofserv which does not have this issue.

The remaining three are not provided by root in Fedora, since xrootd has been
unbundled and is provided by a separate package. These three files as provided
by the xrootd-clients package are not shell wrappers that modify
LD_LIBRARY_PATH but the binaries themselves.


In addition - though not mentioned in the CVE itself, but in the bug description above - the xrootd start-up script from the root sources is not used since xrootd has been unbundled. The xrootd start-up script in the xrootd package, though based on the version in the root sources (since xrootd upstream doesn't provide their own), has already had the offending line removed.