Raphael Geissert conducted a review of various packages in Debian and found that mono-debugger contained a script that could be abused by an attacker to execute arbitrary code [1]. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, /usr/bin/mdb and /usr/bin/mdb-symbolreader both re-set LD_LIBRARY_PATH insecurely: export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}" A solution is to patch the scripts to test if $LD_LIBRARY_PATH is set first before attempting to modify it: if [ -z ${LD_LIBRARY_PATH} ]; then export LD_LIBRARY_PATH=/usr/lib/foo else export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH} fi This issue has been assigned the name CVE-2010-3369. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598299
Created mono-debugger tracking bugs for this issue Affects: fedora-all [bug 638388]
This one-liner should work as an alternative to if-else-fi fix: export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
This looks to be corrected in 2.10 with this Pathclean() function: 3 Pathclean () 4 { 5 # Vulnerability fix for insecure path content 6 # Make sure "::", "^:" or ":$" is not left in path arg $1 7 8 local tmp 9 tmp=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' ) 10 11 [ "$tmp" ] && echo "$tmp" 12 } 13 14 LD_LIBRARY_PATH="@libdir@${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" 15 LD_LIBRARY_PATH=$(Pathclean "$LD_LIBRARY_PATH") 16 export LD_LIBRARY_PATH which is the current version we provide: Fedora-16: http://koji.fedoraproject.org/packages/mono-debugger/2.10/1.fc16 Fedora-17: http://koji.fedoraproject.org/packages/mono-debugger/2.10/3.fc17 Fedora-Rawhide: http://koji.fedoraproject.org/packages/mono-debugger/2.10/4.fc18