Raphael Geissert conducted a review of various packages in Debian and found that ember contained a script that could be abused by an attacker to execute arbitrary code [1]. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, /usr/bin/ember re-sets LD_LIBRARY_PATH insecurely: LD_LIBRARY=$prefix/lib/ember:$LD_LIBRARY LD_LIBRARY_PATH=$prefix/lib/ember:$LD_LIBRARY_PATH export LD_LIBRARY export LD_LIBRARY_PATH A solution is to patch the script to test if $LD_LIBRARY_PATH is set first before attempting to modify it: if [ -z ${LD_LIBRARY_PATH} ]; then export LD_LIBRARY_PATH=/usr/lib/foo else export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH} fi This issue has been assigned the name CVE-2010-3355. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598288
Created ember tracking bugs for this issue Affects: fedora-all [bug 638382]
This one-liner should work as an alternative to if-else-fi fix: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
This still seems to be the case with 0.6.0. Did this get reported upstream yet? Once I get commit access, I'll get this fixed in rawhide and F15 promptly. ember is FTBFS in F13 (not sure about F14) and I can't go to 0.6.0 because it needs ogre 1.7 which is not going to be available in F13 or F14. I might be able to go to 0.5.8, but this does seem to be pretty low risk and I may not get enough time to fix it before the problem is moot.
There are no open or resolved cve bugs in ember's bug tracker, so it doesn't look like it has been reported to them.
Hi Bruno. Do you have an account on upstream's bug tracker? If you do, would you mind filing a bug with them? It's very possible that this didn't make it's way upstream.
No I don't. I also ended up fixing it a bit differently than they would. For Fedora no libs are produced for ember. It looks like that is really only needed when bundling libs which we don't do. So I commented the LD stuff out. Upstream may want to use the suggestions in this bug report. Also as a side note I was struggling with the FTBFS issues on F13 and F14 making it hard to just update the script. Going to 0.6.0 is right out. I don't know about 0.5.8. The code has some substantial differences and I am not sure of the library requirements.
This has been corrected in ember-0.6.0-5.fc15, however Fedora 14 is still vulnerable to this.
That's because ember is FTBFS in F14, making it hard to do the change. Upgrading major releases needs to be done carefully. I might have a better chance to get it to build now as I have some more practice with the WF stuff since I have been updating everything to the latest in rawhide. I did mention the issue upstream, but I don't think they did anything with it. I can check their git repo and submit a patch to their mailing list though. I have been talking to these guys a bit lately, so they'd probably look at it.