Raphael Geissert conducted a review of various packages in Debian and found that cowbell contained a script that could be abused by an attacker to execute arbitrary code [1]. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, /usr/bin/cowbell re-sets LD_LIBRARY_PATH insecurely: export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} A solution is to patch the script to test if $LD_LIBRARY_PATH is set first before attempting to modify it: if [ -z ${LD_LIBRARY_PATH} ]; then export LD_LIBRARY_PATH=/usr/lib/foo else export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH} fi This issue has been assigned the name CVE-2010-3353. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286
Created cowbell tracking bugs for this issue Affects: fedora-all [bug 638431]
This one-liner should work as an alternative to if-else-fi fix: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
According to the colleagues from Debian project, there's no vulnerability. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#55 I'm closing it as they did. Feel free to reopen and explain why.
There is one uncommon case when ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} does the wrong thing - if you export empty LD_LIBRARY_PATH. This setting itself is harmless and will not trigger library search relative to CWD. $ touch libc.so.6 $ export LD_LIBRARY_PATH= $ /bin/true But ${foo+} and ${foo:+} expansion is different and may lead to non-empty LD_L_P with empty path component. $ cat blah.sh #!/bin/sh libdir="/usr/lib/cowbell" export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} echo $LD_LIBRARY_PATH /bin/true $ ./blah.sh /usr/lib/cowbell: /bin/true: error while loading shared libraries: libc.so.6: file too short And the same with the ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}: $ ./blah.sh /usr/lib/cowbell So while exported empty LD_L_P is uncommon, it seems reasonable to fix at least rawhide and not do update for released Fedora versions given the limited impact. FYI, openoffice.org had the same issue fixed recently too - see bug #641224.
(In reply to comment #4) > And the same with the ${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}: ${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} that should be...
(In reply to comment #3) > According to the colleagues from Debian project, there's no vulnerability. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#55 Debian BTS does not allow me to post follow up on that bug, mail is rejected with "550 Unknown or archived bug" error.
Ok, thanks for the explanation. I will fix it in rawhide. I will also ping the Debian maintainer.
From what I can tell, this has still not been corrected in Fedora. Can this be taken care of? It's a fairly minor fix.
This cowbell package is no longer available in Fedora, closing.