Bug 644596 - (CVE-2010-4001) CVE-2010-4001 gromacs: insecure library loading vulnerability
CVE-2010-4001 gromacs: insecure library loading vulnerability
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100929,reported=20100929,sou...
: Security
Depends On: 644950
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-19 16:07 EDT by Vincent Danen
Modified: 2015-08-19 04:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-10-19 16:07:41 EDT
Ludwig Nussel discovered that gromacs contained a script that could be abused by an attacker to execute arbitrary code.

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/GMXRC.bash re-sets LD_LIBRARY_PATH insecurely:

tmppath=""
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do
  if test "$i" != "$GMXLDLIB"; then
    tmppath=${tmppath}:$i
  fi
done
LD_LIBRARY_PATH=$tmppath

One solution would be to do some shell monkey work (probably something easier but I can't think of it at the moment) like this:

tmppath=""
count=0
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do 
    if test "$i" != "$GMXLDLIB"; then
        if [ ${count} == 0 ]; then
            tmppath=$i
        else
            tmppath=${tmppath}:$i
            count=1
        fi 
    fi 
done

That will avoid prefixing LD_LIBRARY_PATH with ":" if it's set.
Comment 1 Vincent Danen 2010-10-20 12:28:43 EDT
Created gromacs tracking bugs for this issue

Affects: fedora-all [bug 644950]
Comment 2 Vincent Danen 2010-11-09 17:38:41 EST
MITRE has disputed this with the following note:

"NOTE: CVE disputes this issue because the GMXLDLIB value is always added to the beginning of LD_LIBRARY_PATH at a later point in the script."

This can be seen in the script:

61 # NB: The variables already begin with ':' now, or are empty
62 LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH}

Seems like a strange way to handle things, but doesn't introduce any insecurities.  In fact, if nothing else, it does introduce a bug.

Using a slight variation of the script:

 cat 1
#!/bin/sh
tmppath=""
GMXLDLIB="/usr/lib"
for i in `echo $LD_LIBRARY_PATH | sed "s/:/ /g"`; do
  if test "$i" != "$GMXLDLIB"; then
    if test "${tmppath}" == ""; then
      tmppath=$i
    else
    tmppath=${tmppath}:$i
  fi
  fi
done
LD_LIBRARY_PATH=$tmppath

LD_LIBRARY_PATH=${GMXLDLIB}${LD_LIBRARY_PATH}

echo ${LD_LIBRARY_PATH}%                                                                                                                                                                                % sh 1                                     
/usr/lib
% LD_LIBRARY_PATH="" sh 1    
/usr/lib
% LD_LIBRARY_PATH="/foo" sh 1
/usr/lib/foo
% LD_LIBRARY_PATH="/foo:/usr/lib:/bar" sh 1
/usr/lib/foo:/bar

But that isn't a security issue as GMXLDLIB always gets prefixed, but the path string gets munged badly.  Probably better to have this in there instead:

if [ -z ${LD_LIBRARY_PATH} ]; then
    LD_LIBRARY_PATH=${GMXLDLIB}
else
    LD_LIBRARY_PATH=${GMXLDLIB}:${LD_LIBRARY_PATH}
fi


At any rate, I do agree with MITRE's assessment that this is not a security issue.

Note You need to log in before you can comment on or make changes to this bug.