Ubuntu
mistelix package

CVE-2010-3365: insecure library loading

Bug #651054 reported by Siegfried Gevatter
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mistelix (Ubuntu)
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mistelix

From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598297:

Package: mistelix
Version: 0.31-1
Severity: grave
Tags: security
User: <email address hidden>
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/mistelix line 8:
export LD_LIBRARY_PATH=$libdir/mistelix/:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3365. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3365
[1] http://security-tracker.debian.org/tracker/CVE-2010-3365

Sincerely,
Raphael Geissert

Revision history for this message
Siegfried Gevatter (rainct) wrote :

Attaching a debdiff for Lucid.

Changed in mistelix (Ubuntu):
status: New → Triaged
status: Triaged → Fix Released
Revision history for this message
Siegfried Gevatter (rainct) wrote :
Siegfried Gevatter (rainct)
Changed in mistelix (Ubuntu Lucid):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The lucid debdiff uses the wrong version in the changelog. Lucid has 0.31-0ubuntu1 so the version in the security update should be 0.31-0ubuntu1.1. I'll fix this up and get it uploaded.

Changed in mistelix (Ubuntu Lucid):
status: Confirmed → Triaged
Changed in mistelix (Ubuntu Karmic):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Also, the lucid changelog should reference LP: #651054.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to security PPA. Will publish after they finish building. Thanks for the patch!

Changed in mistelix (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in mistelix (Ubuntu Karmic):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mistelix - 0.31-0ubuntu1.1

---------------
mistelix (0.31-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: insecure LD_LIBRARY_PATH redefinition (LP: #651054)
    - Add debian/patches/insecure-library-loading.patch
    - CVE-2010-3365
 -- Siegfried-Angel Gevatter Pujals <email address hidden> Wed, 29 Sep 2010 13:28:29 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mistelix - 0.30-0ubuntu1.1

---------------
mistelix (0.30-0ubuntu1.1) karmic-security; urgency=low

  * SECURITY UPDATE: insecure LD_LIBRARY_PATH redefinition (LP: #651054)
    - Add debian/patches/insecure-library-loading.patch
    - Patch based on work by Siegfried-Angel Gevatter Pujals
    - CVE-2010-3365
 -- Jamie Strandboge <email address hidden> Mon, 04 Oct 2010 14:42:27 -0500

Changed in mistelix (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in mistelix (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.