Bug 645471 - (CVE-2010-3364) CVE-2010-3364 vips: insecure library loading vulnerability
CVE-2010-3364 vips: insecure library loading vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 645472
  Show dependency treegraph
Reported: 2010-10-21 11:02 EDT by Jan Lieskovsky
Modified: 2013-01-17 03:51 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-01-17 03:51:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-10-21 11:02:25 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3364 to
the following vulnerability:

The vips-7.22 script in VIPS 7.22.2 places a zero-length directory
name in the LD_LIBRARY_PATH, which allows local users to gain
privileges via a Trojan horse shared library in the current working

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598296

Affected versions:
This issue affects the versions of the vips package, as shipped with
Fedora of release:
1, 12. Relevant script is in BUILD/vips-7.18.2/src/scripts/vips-7.18
   Affected code line being:

     108         export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

2, 13. Relevant script is in BUILD/vips-7.20.7/tools/scripts/vips-7.20
   Affected code line being:

     108         export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

   The above used re-setting of LD_LIBRARY_PATH variable is insecure.

Tomas Hoger suggests (https://bugzilla.redhat.com/show_bug.cgi?id=638384#c2)
the following one-liner as a solution:


You can also query Red Hat Bugzilla system for "insecure library loading 
vulnerability" string, to get further information about all affected packages
and particular patches.

F-14 and F-15 pre-versions of vips (vips-7.22.2-1.fc14.2 and vips-7.22.2-3.fc15)
are affected by this deficiency too, just the particular vulnerable script has
different name and location.
Comment 1 Jan Lieskovsky 2010-10-21 11:06:38 EDT
Created vips tracking bugs for this issue

Affects: fedora-all [bug 645472]
Comment 2 Benjamin Gilbert 2013-01-17 03:51:19 EST
All currently-supported versions of Fedora ship a newer vips without this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.