Bug 644554 (CVE-2010-3998) - CVE-2010-3998 banshee: insecure library loading vulnerability
Summary: CVE-2010-3998 banshee: insecure library loading vulnerability
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2010-3998
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100929,reported=20100929,sou...
Depends On: 644941
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-19 19:30 UTC by Vincent Danen
Modified: 2019-06-08 18:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-12 22:28:20 UTC


Attachments (Terms of Use)

Description Vincent Danen 2010-10-19 19:30:57 UTC
Ludwig Nussel discovered that banshee contained a script that could be abused by an attacker to execute arbitrary code.

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, both /usr/bin/banshee-1 and /usr/bin/muinshee re-set LD_LIBRARY_PATH insecurely (incidentally, GST_PLUGIN_PATH is also re-set insecurely):

export LD_LIBRARY_PATH=/usr/lib:/usr/lib/banshee-1:/usr/lib/banshee-1/Extensions:/usr/lib/banshee-1/Backends${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
export GST_PLUGIN_PATH=/usr/lib/banshee-1/gstreamer-0.10${GST_PLUGIN_PATH+:$GST_PLUGIN_PATH}

A solution is to patch the script to use ':+:' properly:

export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

Comment 1 Vincent Danen 2010-10-19 19:46:10 UTC
This issue has been assigned the name CVE-2010-3998.

Comment 2 Vincent Danen 2010-10-20 16:19:45 UTC
Created banshee tracking bugs for this issue

Affects: fedora-all [bug 644941]


Note You need to log in before you can comment on or make changes to this bug.