Bug 672468 (CVE-2011-0532)

Summary: CVE-2011-0532 Directory Server: use of insecure LD_LIBRARY_PATH settings
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: a3li, benl, dlackey, jlieskov, ldv, nkinder, poelstra, rmeggins, security-response-team, sramling
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 07:58:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 670922    
Bug Blocks:    

Description Tomas Hoger 2011-01-25 08:08:57 UTC 
It was discovered that 398 / Red Hat Directory Server set LD_LIBRARY_PATH environment variable to insecure value containing empty path elements in various shell scripts used by DS (e.g. various backup/restore scripts instantiated for each DS instance, as well as the main initialization script).  Such LD_LIBRARY_PATH setting causes ld.so dynamic linker to perform library search relative to the current working directory before searching system library directories.  A local attacker able to trick a user running those scripts (usually the root user) to run them while working from an attacker writeable directory could use this flaw to escalate their privileges via specially crated dynamic library.
Comment 1 Tomas Hoger 2011-01-25 08:20:45 UTC 
Examples include:

- dirsrv init script
  LD_LIBRARY_PATH=/usr/lib/dirsrv::/usr/lib

- ldap-agent
  LIB_DIR=:::
  LD_LIBRARY_PATH=${LIB_DIR}

- backup scripts
  LD_LIBRARY_PATH=$prefix/{{SERVER-DIR}}:$prefix:$prefix/usr/lib:$prefix/usr/lib
  if [ -n "$prefix" ] ; then
    LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:"                                  
  fi

This issue is result of an expansion of certain configure variables to an empty string.
Comment 2 Tomas Hoger 2011-01-25 08:23:30 UTC 
Most scripts also set SHLIB_PATH to the same value as LD_LIBRARY_PATH.  I don't know if HP-UX dynamic linker handles empty paths in SHLIB_PATH in the same way as glibc ld.so does in LD_LIBRARY_PATH.  Can anyone with access to HP-UX system verify this?  DS scripts usually do SHLIB_PATH=$LD_LIBRARY_PATH or similar, so LD_LIBRARY_PATH fix should resolve most SHLIB_PATH issues too.
Comment 19 errata-xmlrpc 2011-02-22 17:46:12 UTC 
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 4
  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2011:0293 https://rhn.redhat.com/errata/RHSA-2011-0293.html