Bug 639044 (CVE-2010-3389) - CVE-2010-3389 rgmanager: insecure library loading vulnerability
Summary: CVE-2010-3389 rgmanager: insecure library loading vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3389
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 639045 671073 705763 710637
Blocks: 734217
TreeView+ depends on / blocked
 
Reported: 2010-09-30 17:01 UTC by Vincent Danen
Modified: 2019-09-29 12:39 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-07 09:00:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0264 normal SHIPPED_LIVE Low: rgmanager security and bug fix update 2011-02-16 15:07:04 UTC
Red Hat Product Errata RHSA-2011:1000 normal SHIPPED_LIVE Low: rgmanager security, bug fix, and enhancement update 2011-07-21 10:43:18 UTC
Red Hat Product Errata RHSA-2011:1580 normal SHIPPED_LIVE Low: resource-agents security, bug fix, and enhancement update 2011-12-06 00:38:57 UTC

Description Vincent Danen 2010-09-30 17:01:12 UTC
Raphael Geissert conducted a review of various packages in Debian and found that cluster-agents contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, resource-agents contains rgmanager, which has the same scripts as Debian's cluster-agents.  /usr/share/cluster/SAPDatabase and /usr/share/cluster/SAPInstance both re-set LD_LIBRARY_PATH insecurely:

# as root user we need the library path to the SAP kernel to be able to call executables
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then 
  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
fi

A solution is to patch the scripts to properly set $LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

This issue has been assigned the name CVE-2010-3389.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549

Comment 1 Vincent Danen 2010-09-30 17:02:28 UTC
Created resource-agents tracking bugs for this issue

Affects: fedora-all [bug 639045]

Comment 3 Lon Hohberger 2011-01-20 19:43:17 UTC
I doublechecked that DIR_EXECUTABLE is always set to something when prior to the current resetting of LD_LIBRARY_PATH.

It is; consequently the patch, as more or less suggested, will work:

-  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
+  LD_LIBRARY_PATH=$DIR_EXECUTABLE${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
+  export LD_LIBRARY_PATH

Comment 4 Vincent Danen 2011-01-31 15:55:28 UTC
Acknowledgements:

Red Hat would like to thank Raphael Geissert for reporting this issue.

Comment 5 Fabio Massimo Di Nitto 2011-02-08 08:06:46 UTC
http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec

Patch available upstream, will be part of the upcoming release/update

Comment 6 errata-xmlrpc 2011-02-16 15:09:31 UTC
This issue has been addressed in following products:

  CLuster Suite for RHEL 4

Via RHSA-2011:0264 https://rhn.redhat.com/errata/RHSA-2011-0264.html

Comment 9 errata-xmlrpc 2011-07-21 10:43:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1000 https://rhn.redhat.com/errata/RHSA-2011-1000.html

Comment 10 errata-xmlrpc 2011-07-21 12:29:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1000 https://rhn.redhat.com/errata/RHSA-2011-1000.html

Comment 11 errata-xmlrpc 2011-12-06 12:02:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1580 https://rhn.redhat.com/errata/RHSA-2011-1580.html


Note You need to log in before you can comment on or make changes to this bug.