Bug 469657 (CVE-2008-4865) - CVE-2008-4865 valgrind: .valgrindrc loaded from untrusted locations
Summary: CVE-2008-4865 valgrind: .valgrindrc loaded from untrusted locations
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4865
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-03 09:50 UTC by Tomas Hoger
Modified: 2021-11-12 19:53 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-08-11 14:24:52 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch, mentioned in the previous comment (2.42 KB, patch)
2009-01-08 10:07 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 507312 0 None None None Never
KDE Software Compilation 177682 0 None None None Never

Description Tomas Hoger 2008-11-03 09:50:13 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4865 to the following vulnerability:

Untrusted search path vulnerability in valgrind allows local users to
execute arbitrary programs via a Trojan horse .valgrindrc file in the
current working directory, as demonstrated using a malicious
--db-command options. NOTE: the severity of this issue has been
disputed, but CVE is including this issue because execution of a
program from an untrusted directory is a common scenario.

References:
http://www.openwall.com/lists/oss-security/2008/10/27/4
Comment 1 Tomas Hoger 2008-11-03 09:57:04 UTC 
As a side note:
Similar issue was reported in the past for gdb and its handling of .gdbinit file and was assigned CVE id CVE-2005-1705:

  http://bugs.gentoo.org/show_bug.cgi?id=88398 (Tavis' report)

Current gdb versions apply certain checks on .gdbinit file before using it.  File is rejected as untrusted, when it's group-writeable, or owned by different user.  This eliminates vector when malicious local user tricks victim to run gdb in specially crafted directory, but does not eliminate the "tarball with 'your app crash on this input file' along with malicious init file" vector.  There currently does not seem to be any good way to address this without breaking the init file feature completely.
Comment 2 Robert Buchholz 2009-01-05 02:11:02 UTC 
This has been resolved in 3.4 or r8798:

$ svn log -c 8798 svn://svn.valgrind.org/valgrind/trunk
------------------------------------------------------------------------
r8798 | dirk | 2008-11-22 13:03:19 +0100 (Sat, 22 Nov 2008) | 3 lines

ignore .valgrindrc files that are world writeable
or not owned by the current user (CVE-2008-4865)

------------------------------------------------------------------------
Comment 3 Tomas Hoger 2009-01-08 10:07:08 UTC 
Created attachment 328455 [details]
Upstream patch, mentioned in the previous comment

svn diff -c 8798 svn://svn.valgrind.org/valgrind/trunk
Comment 4 Tomas Hoger 2009-02-03 10:58:57 UTC 
Fix is now included in new upstream version - 3.4:
  http://valgrind.org/docs/manual/dist.news.html
Comment 6 Tomas Hoger 2009-02-05 09:13:52 UTC 
This issue affect version of valgrind as shipped in Red Hat Enterprise Linux 4 and 5, as well as current Fedora versions (9, 10).

This issue has been rated as having low security impact, future update may address this flaw.
Comment 7 Tomas Hoger 2011-02-17 15:28:29 UTC 
The valgrind packages were rebased in Red Hat Enterprise Linux 5.5 to upstream version 3.5.0, which contains the patch mentioned above that prevents reading world-writeable or not owned .valgrindrc:
  http://rhn.redhat.com/errata/RHEA-2010-0272.html
Note You need to log in before you can comment on or make changes to this bug.