Bug 639044 - (CVE-2010-3389) CVE-2010-3389 rgmanager: insecure library loading vulnerability
CVE-2010-3389 rgmanager: insecure library loading vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100930,reported=20100914,sou...
: Security
Depends On: 639045 671073 705763 710637
Blocks: 734217
  Show dependency treegraph
 
Reported: 2010-09-30 13:01 EDT by Vincent Danen
Modified: 2015-08-19 04:56 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-07 04:00:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-09-30 13:01:12 EDT
Raphael Geissert conducted a review of various packages in Debian and found that cluster-agents contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, resource-agents contains rgmanager, which has the same scripts as Debian's cluster-agents.  /usr/share/cluster/SAPDatabase and /usr/share/cluster/SAPInstance both re-set LD_LIBRARY_PATH insecurely:

# as root user we need the library path to the SAP kernel to be able to call executables
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then 
  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
fi

A solution is to patch the scripts to properly set $LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

This issue has been assigned the name CVE-2010-3389.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549
Comment 1 Vincent Danen 2010-09-30 13:02:28 EDT
Created resource-agents tracking bugs for this issue

Affects: fedora-all [bug 639045]
Comment 3 Lon Hohberger 2011-01-20 14:43:17 EST
I doublechecked that DIR_EXECUTABLE is always set to something when prior to the current resetting of LD_LIBRARY_PATH.

It is; consequently the patch, as more or less suggested, will work:

-  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+  LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+  export LD_LIBRARY_PATH
Comment 4 Vincent Danen 2011-01-31 10:55:28 EST
Acknowledgements:

Red Hat would like to thank Raphael Geissert for reporting this issue.
Comment 5 Fabio Massimo Di Nitto 2011-02-08 03:06:46 EST
http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec

Patch available upstream, will be part of the upcoming release/update
Comment 6 errata-xmlrpc 2011-02-16 10:09:31 EST
This issue has been addressed in following products:

  CLuster Suite for RHEL 4

Via RHSA-2011:0264 https://rhn.redhat.com/errata/RHSA-2011-0264.html
Comment 9 errata-xmlrpc 2011-07-21 06:43:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1000 https://rhn.redhat.com/errata/RHSA-2011-1000.html
Comment 10 errata-xmlrpc 2011-07-21 08:29:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1000 https://rhn.redhat.com/errata/RHSA-2011-1000.html
Comment 11 errata-xmlrpc 2011-12-06 07:02:21 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1580 https://rhn.redhat.com/errata/RHSA-2011-1580.html

Note You need to log in before you can comment on or make changes to this bug.