ALT Linux Bugzilla – Full Text Bug Listing
| Summary: | CVE-2010-3369: insecure library loading | ||
|---|---|---|---|
| Product: | Sisyphus | Reporter: | Vladimir Lettiev <crux> |
| Component: | mono-debugger | Assignee: | Alexey Shabalin <shaba> |
| Status: | NEW --- | QA Contact: | qa-sisyphus |
| Severity: | blocker | ||
| Priority: | P3 | CC: | mike |
| Version: | unstable | Keywords: | security |
| Hardware: | all | ||
| OS: | Linux | ||
| URL: | http://bugs.debian.org/598299 | ||
В дебиане пишут, что исправлено в 2.6.3-2.1; у нас сейчас 2.10; upstream fix? |
The vulnerability is introduced by an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries on a directory other than the standard paths. Vulnerable code follows: /usr/bin/mdb-symbolreader line 2: export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}" /usr/bin/mdb line 2: export LD_LIBRARY_PATH="/usr/lib:${LD_LIBRARY_PATH}" When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this