Bug 638429 (CVE-2010-3353) - CVE-2010-3353 cowbell: insecure library loading vulnerability
Summary: CVE-2010-3353 cowbell: insecure library loading vulnerability
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-3353
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 638431
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-29 00:28 UTC by Vincent Danen
Modified: 2019-09-29 12:39 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-08 20:32:30 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2010-09-29 00:28:05 UTC
Raphael Geissert conducted a review of various packages in Debian and found that cowbell contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/cowbell re-sets LD_LIBRARY_PATH insecurely:

export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

A solution is to patch the script to test if $LD_LIBRARY_PATH is set first before attempting to modify it:

if [ -z ${LD_LIBRARY_PATH} ]; then
    export LD_LIBRARY_PATH=/usr/lib/foo
else
    export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH}
fi

This issue has been assigned the name CVE-2010-3353.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286

Comment 1 Vincent Danen 2010-09-29 00:29:41 UTC
Created cowbell tracking bugs for this issue

Affects: fedora-all [bug 638431]

Comment 2 Tomas Hoger 2010-09-29 07:44:35 UTC
This one-liner should work as an alternative to if-else-fi fix:
export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

Comment 3 Thomas Janssen 2011-02-09 09:26:34 UTC
According to the colleagues from Debian project, there's no vulnerability.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#55

I'm closing it as they did. Feel free to reopen and explain why.

Comment 4 Tomas Hoger 2011-02-09 10:02:31 UTC
There is one uncommon case when ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} does the wrong thing - if you export empty LD_LIBRARY_PATH.  This setting itself is harmless and will not trigger library search relative to CWD.

$ touch libc.so.6

$ export LD_LIBRARY_PATH=

$ /bin/true

But ${foo+} and ${foo:+} expansion is different and may lead to non-empty LD_L_P with empty path component.

$ cat blah.sh 
#!/bin/sh
libdir="/usr/lib/cowbell"
export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
echo $LD_LIBRARY_PATH
/bin/true

$ ./blah.sh 
/usr/lib/cowbell:
/bin/true: error while loading shared libraries: libc.so.6: file too short

And the same with the ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}:

$ ./blah.sh 
/usr/lib/cowbell

So while exported empty LD_L_P is uncommon, it seems reasonable to fix at least rawhide and not do update for released Fedora versions given the limited impact.

FYI, openoffice.org had the same issue fixed recently too - see bug #641224.

Comment 5 Tomas Hoger 2011-02-09 10:05:06 UTC
(In reply to comment #4)
> And the same with the ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}:

${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} that should be...

Comment 6 Tomas Hoger 2011-02-09 10:20:28 UTC
(In reply to comment #3)
> According to the colleagues from Debian project, there's no vulnerability.
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#55

Debian BTS does not allow me to post follow up on that bug, mail is rejected with "550 Unknown or archived bug" error.

Comment 7 Thomas Janssen 2011-02-09 10:26:48 UTC
Ok, thanks for the explanation. I will fix it in rawhide.

I will also ping the Debian maintainer.

Comment 8 Vincent Danen 2011-06-14 16:55:04 UTC
From what I can tell, this has still not been corrected in Fedora.  Can this be taken care of?  It's a fairly minor fix.

Comment 9 Vincent Danen 2013-05-08 20:32:30 UTC
This cowbell package is no longer available in Fedora, closing.


Note You need to log in before you can comment on or make changes to this bug.