Debian Bug report logs - #598286
cowbell: CVE-2010-3353: insecure library loading

version graph

Package: cowbell; Maintainer for cowbell is Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>; Source for cowbell is src:cowbell.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:15 UTC

Severity: important

Tags: patch, security

Found in version cowbell/0.2.7.1-5

Done: Jari Aalto <jari.aalto@cante.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#598286; Package cowbell. (Tue, 28 Sep 2010 04:24:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>. (Tue, 28 Sep 2010 04:24:17 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: cowbell: CVE-2010-3353: insecure library loading
Date: Tue, 28 Sep 2010 04:21:26 +0000
Package: cowbell
Version: 0.2.7.1-5
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/cowbell line 4:
export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3353. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3353
[1] http://security-tracker.debian.org/tracker/CVE-2010-3353

Sincerely,
Raphael Geissert




Severity set to 'important' from 'grave' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Tue, 28 Sep 2010 23:15:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#598286; Package cowbell. (Mon, 11 Oct 2010 15:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>. (Mon, 11 Oct 2010 15:27:03 GMT) Full text and rfc822 format available.

Message #12 received at 598286@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: 598286@bugs.debian.org
Subject: cowbell CVE-2010-3353
Date: Mon, 11 Oct 2010 17:17:43 +0200
[Message part 1 (text/plain, inline)]
> Vulnerable code follows:
> 
> /usr/bin/cowbell line 4:
> export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

The second part only adds a colon if LD_LIBRARY_PATH is empty, so this
whole line is insecure only if ${libdir} is empty (and in that case
LD_LIBRARY_PATH will start with a colon). However, the previous line
is :

> libdir="@prefix@/lib/cowbell"

So, I believe that this use is safe.

-- 
Etienne Millon
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#598286; Package cowbell. (Sat, 16 Oct 2010 16:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>. (Sat, 16 Oct 2010 16:21:04 GMT) Full text and rfc822 format available.

Message #17 received at 598286@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598286@bugs.debian.org
Cc: 598286-submitter@bugs.debian.org
Subject: Re: Bug#598286: cowbell: CVE-2010-3353: insecure library loading (possibly false positive)
Date: Sat, 16 Oct 2010 19:16:11 +0300
> > [Raphael Geissert] Vulnerable code follows:
> >
> > /usr/bin/cowbell line 4:
> > export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
>
> [Etienne]
> The second part only adds a colon if LD_LIBRARY_PATH is empty, so this
> whole line is insecure only if ${libdir} is empty (and in that case
> LD_LIBRARY_PATH will start with a colon). However, the previous line
> is :
>
> > libdir="@prefix@/lib/cowbell"
>
> So, I believe that this use is safe.

The full code of ./cowbell.in reads:

     1  #!/bin/sh
     2
     3  libdir="@prefix@/lib/cowbell"
     4  export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
     5
     6  if [ -e ./@dll@ ] && [ -e ./Makefile.am ]; then
     7          echo "*** Running uninstalled @dll@ ***"
     8          ARGS="--debug"
     9          THIS_EXE="./@dll@"
    10  else
    11          THIS_EXE="${libdir}/@dll@"
    12  fi
    13
    14  exec @runtime@ --debug $THIS_EXE $ARGS "$@"

I concur with Etienne.

Jo, or Raphael: do you agree that this can be closed?

Jari




Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598286. (Sat, 16 Oct 2010 16:21:12 GMT) Full text and rfc822 format available.

Reply sent to Iain Lane <laney@ubuntu.com>:
You have taken responsibility. (Sat, 16 Oct 2010 18:27:07 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sat, 16 Oct 2010 18:27:07 GMT) Full text and rfc822 format available.

Message #25 received at 598286-done@bugs.debian.org (full text, mbox):

From: Iain Lane <laney@ubuntu.com>
To: Jari Aalto <jari.aalto@cante.net>, 598286-done@bugs.debian.org
Subject: Re: [pkg-cli-apps-team] Bug#598286: cowbell: CVE-2010-3353: insecure library loading (possibly false positive)
Date: Sat, 16 Oct 2010 19:25:41 +0100
[Message part 1 (text/plain, inline)]
Version: 0.2.7.1-5

On Sat, Oct 16, 2010 at 07:16:11PM +0300, Jari Aalto wrote:
>> > [Raphael Geissert] Vulnerable code follows:
>> >
>> > /usr/bin/cowbell line 4:
>> > export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
>>
>> [Etienne]
>> The second part only adds a colon if LD_LIBRARY_PATH is empty, so this
>> whole line is insecure only if ${libdir} is empty (and in that case
>> LD_LIBRARY_PATH will start with a colon). However, the previous line
>> is :
>>
>> > libdir="@prefix@/lib/cowbell"
>>
>> So, I believe that this use is safe.
>
>The full code of ./cowbell.in reads:
>
>     1  #!/bin/sh
>     2
>     3  libdir="@prefix@/lib/cowbell"
>     4  export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
>     5
>     6  if [ -e ./@dll@ ] && [ -e ./Makefile.am ]; then
>     7          echo "*** Running uninstalled @dll@ ***"
>     8          ARGS="--debug"
>     9          THIS_EXE="./@dll@"
>    10  else
>    11          THIS_EXE="${libdir}/@dll@"
>    12  fi
>    13
>    14  exec @runtime@ --debug $THIS_EXE $ARGS "$@"
>
>I concur with Etienne.
>
>Jo, or Raphael: do you agree that this can be closed?

I do. Thanks for the analysis.

Cheers,
Iain
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#598286; Package cowbell. (Mon, 18 Oct 2010 09:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>. (Mon, 18 Oct 2010 09:09:03 GMT) Full text and rfc822 format available.

Message #30 received at 598286@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: control@bugs.debian.org, 598286@bugs.debian.org, 598286-submitter@bugs.debian.org
Subject: Bug#598286 cowbell: NMU diff for 0.2.7.1-5--0.2.7.1-5.1 (CVE-2010-3353)
Date: Mon, 18 Oct 2010 12:06:49 +0300
[Message part 1 (text/plain, inline)]
reopen 598286
tags 598286 + patch
thanks

>The full code of ./cowbell.in reads:
>
>     1  #!/bin/sh
>     2
>     3  libdir="@prefix@/lib/cowbell"
>     4  export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

Uhm, there are more problems that met the eye at first glance:

    (
        libdir="/usr/lib/cowbell"
        LD_LIBRARY_PATH="::"
        LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
        echo $LD_LIBRARY_PATH
    )

    # => /usr/lib/cowbell:::

Proposed NMU follows.

Jari

[cowbell_0.2.7.1-5--0.2.7.1-5.1.deb.diff (text/x-diff, inline)]
diffstat for cowbell_0.2.7.1-5 cowbell_0.2.7.1-5.1

 cowbell-0.2.7.1/debian/changelog                 |   12 +++++
 debian/patches/10_CVE_2010_3353__bug598286.patch |   47 +++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff -u cowbell-0.2.7.1/debian/changelog cowbell-0.2.7.1/debian/changelog
--- cowbell-0.2.7.1/debian/changelog
+++ cowbell-0.2.7.1/debian/changelog
@@ -1,3 +1,15 @@
+cowbell (0.2.7.1-5.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+    - Move to packaging format "3.0 (quilt)" due to patch.
+  * debian/patches
+    - (Number 10): New patch. Fix CVE-2010-3353 insecure library loading.
+      (important, security; Closes: #598286).
+  * debian/source/format
+   - New file.
+
+ -- Jari Aalto <jari.aalto@cante.net>  Mon, 18 Oct 2010 11:59:30 +0300
+
 cowbell (0.2.7.1-5) unstable; urgency=low
 
   * debian/control:
only in patch2:
unchanged:
--- cowbell-0.2.7.1.orig/debian/patches/10_CVE_2010_3353__bug598286.patch
+++ cowbell-0.2.7.1/debian/patches/10_CVE_2010_3353__bug598286.patch
@@ -0,0 +1,47 @@
+From b0e48de8c9a9ca853eab1a5bf5b90651eb28a10e Mon Sep 17 00:00:00 2001
+From: Jari Aalto <jari.aalto@cante.net>
+Date: Mon, 18 Oct 2010 11:54:16 +0300
+Subject: [PATCH] CVE-2010-3353 insecure library loading Bug#598286
+Organization: Private
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jari Aalto <jari.aalto@cante.net>
+---
+ cowbell.in |   17 ++++++++++++++++-
+ 1 files changed, 16 insertions(+), 1 deletions(-)
+ mode change 100644 => 100755 cowbell.in
+
+diff --git a/cowbell.in b/cowbell.in
+old mode 100644
+new mode 100755
+index 0e68ebc..0274cc8
+--- a/cowbell.in
++++ b/cowbell.in
+@@ -1,7 +1,22 @@
+ #!/bin/sh
+ 
++
++Pathclean ()
++{
++   # Vulnerability fix for insecure library loading
++   # Make sure "::", "^:" or ":$" is not left in path arg $1
++
++   local tmp123xyz
++   tmp123xyz=$(echo "$1" | sed -e 's/::\+// ; s/^:// ; s/:$//' )
++
++   [ "$tmp123xyz" ] && echo "$tmp"
++}
++
+ libdir="@prefix@/lib/cowbell"
+-export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
++
++LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}
++LD_LIBRARY_PATH=$(Pathclean "$LD_LIBRARY_PATH")
++export LD_LIBRARY_PATH
+ 
+ if [ -e ./@dll@ ] && [ -e ./Makefile.am ]; then
+ 	echo "*** Running uninstalled @dll@ ***"
+-- 
+1.7.1
+

Bug No longer marked as fixed in versions 0.2.7.1-5 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Oct 2010 09:09:04 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Jari Aalto <jari.aalto@cante.net> to control@bugs.debian.org. (Mon, 18 Oct 2010 09:09:05 GMT) Full text and rfc822 format available.

Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598286. (Mon, 18 Oct 2010 09:09:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#598286; Package cowbell. (Mon, 18 Oct 2010 09:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Iain Lane <laney@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>. (Mon, 18 Oct 2010 09:30:02 GMT) Full text and rfc822 format available.

Message #42 received at 598286@bugs.debian.org (full text, mbox):

From: Iain Lane <laney@ubuntu.com>
To: Jari Aalto <jari.aalto@cante.net>, 598286@bugs.debian.org
Cc: 598286-submitter@bugs.debian.org
Subject: Re: [pkg-cli-apps-team] Bug#598286: cowbell: NMU diff for 0.2.7.1-5--0.2.7.1-5.1 (CVE-2010-3353)
Date: Mon, 18 Oct 2010 10:28:45 +0100
[Message part 1 (text/plain, inline)]
Hello,

On Mon, Oct 18, 2010 at 12:06:49PM +0300, Jari Aalto wrote:
>reopen 598286
>tags 598286 + patch
>thanks
>
>>The full code of ./cowbell.in reads:
>>
>>     1  #!/bin/sh
>>     2
>>     3  libdir="@prefix@/lib/cowbell"
>>     4  export LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
>
>Uhm, there are more problems that met the eye at first glance:
>
>    (
>        libdir="/usr/lib/cowbell"
>        LD_LIBRARY_PATH="::"
>        LD_LIBRARY_PATH=${libdir}${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}
>        echo $LD_LIBRARY_PATH
>    )
>
>    # => /usr/lib/cowbell:::
>
>Proposed NMU follows.

OK, please upload. I don't see the source format change in your diff
(and this is an undesirable change to introduce in an NMU anyway, so
please don't do that).

Cheers,
Iain
[signature.asc (application/pgp-signature, inline)]

Message sent on to Raphael Geissert <geissert@debian.org>:
Bug#598286. (Mon, 18 Oct 2010 09:30:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>:
Bug#598286; Package cowbell. (Mon, 18 Oct 2010 19:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Etienne Millon <etienne.millon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian CLI Applications Team <pkg-cli-apps-team@lists.alioth.debian.org>. (Mon, 18 Oct 2010 19:24:06 GMT) Full text and rfc822 format available.

Message #50 received at 598286@bugs.debian.org (full text, mbox):

From: Etienne Millon <etienne.millon@gmail.com>
To: jari.aalto@cante.net, 598305@bugs.debian.org
Cc: 598309@bugs.debian.org, 598286@bugs.debian.org
Subject: Re: Bug#598305: teamspeak-server: NMU diff for 2.0.24.1+debian-1.1 (Intent to NMU)
Date: Mon, 18 Oct 2010 21:21:31 +0200
[Message part 1 (text/plain, inline)]
(CC'ed to #598309 and #598286)

Hello,

> +   # Make sure "::", "^:" or ":$" is not left in path arg $1

Thanks for this extra check. However, I am not sure that it is the
correct way to fix this one. I believe that the bug report means : "do
not add '.' to LD_LIBRARY_PATH, *unless it was there before*". If a
user has explicitly included it, he will expect it not to be silently
cleaned.

Regards

-- 
Etienne Millon
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jari Aalto <jari.aalto@cante.net>:
You have taken responsibility. (Sun, 24 Oct 2010 16:03:11 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sun, 24 Oct 2010 16:03:11 GMT) Full text and rfc822 format available.

Message #55 received at 598286-done@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: 598286-done@bugs.debian.org
Subject: Bug#598286 Close bts:debian
Date: Sun, 24 Oct 2010 19:01:48 +0300
Reason for close:

Analysis according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#25
is correct: there is no vulnerability.

The extra check proposed in NMU
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598286#30 is not needed
as perl Debian release Team (Julien Cristau):

     IRC #debian-qa
     <jcristau> if the user set LD_LIBRARY_PATH="::" then they shot
                themselves in the foot, and you're not
                supposed to clean up after them.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 22 Nov 2010 07:33:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 15:58:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.