Bug 469657 - (CVE-2008-4865) CVE-2008-4865 valgrind: .valgrindrc loaded from untrusted locations
CVE-2008-4865 valgrind: .valgrindrc loaded from untrusted locations
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-11-03 04:50 EST by Tomas Hoger
Modified: 2011-08-11 10:24 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-08-11 10:24:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch, mentioned in the previous comment (2.42 KB, patch)
2009-01-08 05:07 EST, Tomas Hoger
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
KDE Software Compilation 177682 None None None Never
Debian BTS 507312 None None None Never

  None (edit)
Description Tomas Hoger 2008-11-03 04:50:13 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4865 to the following vulnerability:

Untrusted search path vulnerability in valgrind allows local users to
execute arbitrary programs via a Trojan horse .valgrindrc file in the
current working directory, as demonstrated using a malicious
--db-command options. NOTE: the severity of this issue has been
disputed, but CVE is including this issue because execution of a
program from an untrusted directory is a common scenario.

Comment 1 Tomas Hoger 2008-11-03 04:57:04 EST
As a side note:
Similar issue was reported in the past for gdb and its handling of .gdbinit file and was assigned CVE id CVE-2005-1705:

  http://bugs.gentoo.org/show_bug.cgi?id=88398 (Tavis' report)

Current gdb versions apply certain checks on .gdbinit file before using it.  File is rejected as untrusted, when it's group-writeable, or owned by different user.  This eliminates vector when malicious local user tricks victim to run gdb in specially crafted directory, but does not eliminate the "tarball with 'your app crash on this input file' along with malicious init file" vector.  There currently does not seem to be any good way to address this without breaking the init file feature completely.
Comment 2 Robert Buchholz 2009-01-04 21:11:02 EST
This has been resolved in 3.4 or r8798:

$ svn log -c 8798 svn://svn.valgrind.org/valgrind/trunk
r8798 | dirk | 2008-11-22 13:03:19 +0100 (Sat, 22 Nov 2008) | 3 lines

ignore .valgrindrc files that are world writeable
or not owned by the current user (CVE-2008-4865)

Comment 3 Tomas Hoger 2009-01-08 05:07:08 EST
Created attachment 328455 [details]
Upstream patch, mentioned in the previous comment

svn diff -c 8798 svn://svn.valgrind.org/valgrind/trunk
Comment 4 Tomas Hoger 2009-02-03 05:58:57 EST
Fix is now included in new upstream version - 3.4:
Comment 6 Tomas Hoger 2009-02-05 04:13:52 EST
This issue affect version of valgrind as shipped in Red Hat Enterprise Linux 4 and 5, as well as current Fedora versions (9, 10).

This issue has been rated as having low security impact, future update may address this flaw.
Comment 7 Tomas Hoger 2011-02-17 10:28:29 EST
The valgrind packages were rebased in Red Hat Enterprise Linux 5.5 to upstream version 3.5.0, which contains the patch mentioned above that prevents reading world-writeable or not owned .valgrindrc:

Note You need to log in before you can comment on or make changes to this bug.