Debian Bug report logs - #598283
ardour: CVE-2010-3349: insecure library loading

version graph

Package: src:ardour; Maintainer for src:ardour is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>;

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:05 UTC

Severity: grave

Tags: security

Merged with 598282

Fixed in version ardour/1:2.8.11-2

Done: Adrian Knoth <adi@drcomp.erfurt.thur.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#598283; Package ardour. (Tue, 28 Sep 2010 04:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 28 Sep 2010 04:24:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: ardour: CVE-2010-3349: insecure library loading
Date: Tue, 28 Sep 2010 04:21:09 +0000
Package: ardour
Version: 1:2.8.11-1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/ardour2 line 5:
export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH 

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3349. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3349
[1] http://security-tracker.debian.org/tracker/CVE-2010-3349

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#598283; Package ardour. (Tue, 28 Sep 2010 11:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adrian Knoth <adi@drcomp.erfurt.thur.de>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 28 Sep 2010 11:51:03 GMT) Full text and rfc822 format available.

Message #10 received at 598283@bugs.debian.org (full text, mbox):

From: Adrian Knoth <adi@drcomp.erfurt.thur.de>
To: Raphael Geissert <geissert@debian.org>, 598283@bugs.debian.org
Subject: Re: Bug#598283: ardour: CVE-2010-3349: insecure library loading
Date: Tue, 28 Sep 2010 13:48:06 +0200
On Tue, Sep 28, 2010 at 04:21:09AM +0000, Raphael Geissert wrote:

Hi!

> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
> /usr/bin/ardour2 line 5:
> export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH 

Can you elaborate on this or give a link with a more detailed
explanation?

LD_LIBRARY_PATH is a well-known feature, and every binary can, by
design, be run with libraries from different paths, including CWD, if
the user sets LD_LIBRARY_PATH appropriately.

I don't see how importing LD_LIBRARY_PATH in a script is any different
from running an arbitrary binary (also with LD_LIBRARY_PATH being set).
According to your logic, every dynamically linked binary would be
vulnerable.

In other words, I don't see a security issue at all. If the user
deliberately sets LD_LIBRARY_PATH, it's his ultimate responsibility.
LD_LIBRARY_PATH is just a more cumbersome way of running completely
different code.


I might miss something, but unless you rely on RPATH, you could file
this kind of bug against almost every package. And given that
LD_LIBRARY_PATH is a valid use case, we somehow need to pass it to the
binary. I don't see that manually filtering LD_LIBRARY_PATH is any good.
The user sets it, the user gets it.


Please feel free to correct my understanding of the "issue" at hand.

Cheerio

-- 
mail: adi@thur.de  	http://adi.thur.de	PGP/GPG: key via keyserver




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#598283; Package ardour. (Tue, 28 Sep 2010 12:27:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Adrian Knoth <adi@drcomp.erfurt.thur.de>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 28 Sep 2010 12:27:12 GMT) Full text and rfc822 format available.

Message #15 received at 598283@bugs.debian.org (full text, mbox):

From: Adrian Knoth <adi@drcomp.erfurt.thur.de>
To: Raphael Geissert <geissert@debian.org>, 598283@bugs.debian.org
Subject: Re: Bug#598283: ardour: CVE-2010-3349: insecure library loading
Date: Tue, 28 Sep 2010 14:26:28 +0200
On 09/28/10 13:48, Adrian Knoth wrote:

Hi!

> I might miss something

Ok, it's the trailing colon that might cause problems if LD_LIBRARY_PATH
is unset and CWD contains a malicious library.

I'm going to fix this.

Sorry for bothering you in the first place.




Bug reassigned from package 'ardour' to 'src:ardour'. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 14:09:06 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions ardour/1:2.8.11-1. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 14:09:07 GMT) Full text and rfc822 format available.

Forcibly Merged 598282 598283. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 14:09:10 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Adrian Knoth <adi@drcomp.erfurt.thur.de> to control@bugs.debian.org. (Tue, 28 Sep 2010 19:30:05 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Nov 2010 07:36:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:32:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.