Bug 672468 (CVE-2011-0532) - CVE-2011-0532 Directory Server: use of insecure LD_LIBRARY_PATH settings
Summary: CVE-2011-0532 Directory Server: use of insecure LD_LIBRARY_PATH settings
Alias: CVE-2011-0532
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 670922
TreeView+ depends on / blocked
Reported: 2011-01-25 08:08 UTC by Tomas Hoger
Modified: 2019-09-29 12:42 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-22 07:58:21 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0293 0 normal SHIPPED_LIVE Moderate: Red Hat Directory Server security update 2011-02-22 17:46:00 UTC

Description Tomas Hoger 2011-01-25 08:08:57 UTC
It was discovered that 398 / Red Hat Directory Server set LD_LIBRARY_PATH environment variable to insecure value containing empty path elements in various shell scripts used by DS (e.g. various backup/restore scripts instantiated for each DS instance, as well as the main initialization script).  Such LD_LIBRARY_PATH setting causes ld.so dynamic linker to perform library search relative to the current working directory before searching system library directories.  A local attacker able to trick a user running those scripts (usually the root user) to run them while working from an attacker writeable directory could use this flaw to escalate their privileges via specially crated dynamic library.

Comment 1 Tomas Hoger 2011-01-25 08:20:45 UTC
Examples include:

- dirsrv init script

- ldap-agent

- backup scripts
  if [ -n "$prefix" ] ; then

This issue is result of an expansion of certain configure variables to an empty string.

Comment 2 Tomas Hoger 2011-01-25 08:23:30 UTC
Most scripts also set SHLIB_PATH to the same value as LD_LIBRARY_PATH.  I don't know if HP-UX dynamic linker handles empty paths in SHLIB_PATH in the same way as glibc ld.so does in LD_LIBRARY_PATH.  Can anyone with access to HP-UX system verify this?  DS scripts usually do SHLIB_PATH=$LD_LIBRARY_PATH or similar, so LD_LIBRARY_PATH fix should resolve most SHLIB_PATH issues too.

Comment 19 errata-xmlrpc 2011-02-22 17:46:12 UTC
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 4
  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2011:0293 https://rhn.redhat.com/errata/RHSA-2011-0293.html

Note You need to log in before you can comment on or make changes to this bug.