Ludwig Nussel discovered that gromacs contained a script that could be abused by an attacker to execute arbitrary code. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, /usr/bin/GMXRC.bash re-sets LD_LIBRARY_PATH insecurely: tmppath="" for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do if test "$i" != "$GMXLDLIB"; then tmppath=${tmppath}:$i fi done LD_LIBRARY_PATH=$tmppath One solution would be to do some shell monkey work (probably something easier but I can't think of it at the moment) like this: tmppath="" count=0 for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do if test "$i" != "$GMXLDLIB"; then if [ ${count} == 0 ]; then tmppath=$i else tmppath=${tmppath}:$i count=1 fi fi done That will avoid prefixing LD_LIBRARY_PATH with ":" if it's set.
Created gromacs tracking bugs for this issue Affects: fedora-all [bug 644950]
MITRE has disputed this with the following note: "NOTE: CVE disputes this issue because the GMXLDLIB value is always added to the beginning of LD_LIBRARY_PATH at a later point in the script." This can be seen in the script: 61 # NB: The variables already begin with ':' now, or are empty 62 LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH} Seems like a strange way to handle things, but doesn't introduce any insecurities. In fact, if nothing else, it does introduce a bug. Using a slight variation of the script: cat 1 #!/bin/sh tmppath="" GMXLDLIB="/usr/lib" for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do if test "$i" != "$GMXLDLIB"; then if test "${tmppath}" == ""; then tmppath=$i else tmppath=${tmppath}:$i fi fi done LD_LIBRARY_PATH=$tmppath LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH} echo ${LD_LIBRARY_PATH}% % sh 1 /usr/lib % LD_LIBRARY_PATH="" sh 1 /usr/lib % LD_LIBRARY_PATH="/foo" sh 1 /usr/lib/foo % LD_LIBRARY_PATH="/foo:/usr/lib:/bar" sh 1 /usr/lib/foo:/bar But that isn't a security issue as GMXLDLIB always gets prefixed, but the path string gets munged badly. Probably better to have this in there instead: if [ -z ${LD_LIBRARY_PATH} ]; then LD_LIBRARY_PATH=${GMXLDLIB} else LD_LIBRARY_PATH=${GMXLDLIB}:${LD_LIBRARY_PATH} fi At any rate, I do agree with MITRE's assessment that this is not a security issue.
This has been fixed in 2016.1-2: * Fri Dec 23 2016 Christoph Junghans <junghans> - 2016.1-2 - drop dangerous GMXRC* - not needed when installed in /usr
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.