Ludwig Nussel discovered that banshee contained a script that could be abused by an attacker to execute arbitrary code. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, both /usr/bin/banshee-1 and /usr/bin/muinshee re-set LD_LIBRARY_PATH insecurely (incidentally, GST_PLUGIN_PATH is also re-set insecurely): export LD_LIBRARY_PATH=/usr/lib:/usr/lib/banshee-1:/usr/lib/banshee-1/Extensions:/usr/lib/banshee-1/Backends${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} export GST_PLUGIN_PATH=/usr/lib/banshee-1/gstreamer-0.10${GST_PLUGIN_PATH+:$GST_PLUGIN_PATH} A solution is to patch the script to use ':+:' properly: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
This issue has been assigned the name CVE-2010-3998.
Created banshee tracking bugs for this issue Affects: fedora-all [bug 644941]
The following updates were pushed out to stable. https://admin.fedoraproject.org/updates/banshee-1.8.0-10.fc14 https://admin.fedoraproject.org/updates/banshee-1.6.1-4.fc12 https://admin.fedoraproject.org/updates/banshee-1.6.1-4.fc13