Bug 638381 (CVE-2010-3355) - CVE-2010-3355 ember: insecure library loading vulnerability
Summary: CVE-2010-3355 ember: insecure library loading vulnerability
Alias: CVE-2010-3355
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 638382
TreeView+ depends on / blocked
Reported: 2010-09-28 22:03 UTC by Vincent Danen
Modified: 2019-09-29 12:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-09-15 17:28:28 UTC

Attachments (Terms of Use)

Description Vincent Danen 2010-09-28 22:03:35 UTC
Raphael Geissert conducted a review of various packages in Debian and found that ember contained a script that could be abused by an attacker to execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/ember re-sets LD_LIBRARY_PATH insecurely:


A solution is to patch the script to test if $LD_LIBRARY_PATH is set first before attempting to modify it:

if [ -z ${LD_LIBRARY_PATH} ]; then
    export LD_LIBRARY_PATH=/usr/lib/foo
    export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH}

This issue has been assigned the name CVE-2010-3355.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598288

Comment 1 Vincent Danen 2010-09-28 22:04:28 UTC
Created ember tracking bugs for this issue

Affects: fedora-all [bug 638382]

Comment 2 Tomas Hoger 2010-09-29 07:44:20 UTC
This one-liner should work as an alternative to if-else-fi fix:

Comment 3 Bruno Wolff III 2011-03-07 04:07:37 UTC
This still seems to be the case with 0.6.0. Did this get reported upstream yet?
Once I get commit access, I'll get this fixed in rawhide and F15 promptly. ember is FTBFS in F13 (not sure about F14) and I can't go to 0.6.0 because it needs ogre 1.7 which is not going to be available in F13 or F14. I might be able to go to 0.5.8, but this does seem to be pretty low risk and I may not get enough time to fix it before the problem is moot.

Comment 4 Bruno Wolff III 2011-03-12 15:30:28 UTC
There are no open or resolved cve bugs in ember's bug tracker, so it doesn't look like it has been reported to them.

Comment 5 Vincent Danen 2011-03-14 16:40:22 UTC
Hi Bruno.  Do you have an account on upstream's bug tracker?  If you do, would you mind filing a bug with them?  It's very possible that this didn't make it's way upstream.

Comment 6 Bruno Wolff III 2011-03-14 17:17:55 UTC
No I don't. I also ended up fixing it a bit differently than they would. For Fedora no libs are produced for ember. It looks like that is really only needed when bundling libs which we don't do. So I commented the LD stuff out. Upstream may want to use the suggestions in this bug report.

Also as a side note I was struggling with the FTBFS issues on F13 and F14 making it hard to just update the script. Going to 0.6.0 is right out. I don't know about 0.5.8. The code has some substantial differences and I am not sure of the library requirements.

Comment 7 Vincent Danen 2011-05-31 17:58:42 UTC
This has been corrected in ember-0.6.0-5.fc15, however Fedora 14 is still vulnerable to this.

Comment 8 Bruno Wolff III 2011-05-31 18:56:50 UTC
That's because ember is FTBFS in F14, making it hard to do the change. Upgrading major releases needs to be done carefully. I might have a better chance to get it to build now as I have some more practice with the WF stuff since I have been updating everything to the latest in rawhide.

I did mention the issue upstream, but I don't think they did anything with it. I can check their git repo and submit a patch to their mailing list though. I have been talking to these guys a bit lately, so they'd probably look at it.

Note You need to log in before you can comment on or make changes to this bug.