Debian Bug report logs - #598292
ike: CVE-2010-3361: insecure library loading

version graph

Package: ike; Maintainer for ike is Christian Hofstaedtler <zeha@debian.org>; Source for ike is src:ike.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:34 UTC

Severity: grave

Tags: security

Found in version ike/2.1.5+dfsg-1

Fixed in version ike/2.1.5+dfsg-2

Done: Philipp Matthias Hahn <pmhahn@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Philipp Matthias Hahn <pmhahn@debian.org>:
Bug#598292; Package ike. (Tue, 28 Sep 2010 04:24:36 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Philipp Matthias Hahn <pmhahn@debian.org>. (Tue, 28 Sep 2010 04:24:37 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: ike: CVE-2010-3361: insecure library loading
Date: Tue, 28 Sep 2010 04:21:55 +0000
Package: ike
Version: 2.1.5+dfsg-1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/sbin/iked line 4:
LD_LIBRARY_PATH=/usr/lib/ike:$LD_LIBRARY_PATH exec /usr/lib/ike/iked.real "$@"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3361. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3361
[1] http://security-tracker.debian.org/tracker/CVE-2010-3361

Sincerely,
Raphael Geissert




Reply sent to Philipp Matthias Hahn <pmhahn@debian.org>:
You have taken responsibility. (Mon, 11 Oct 2010 05:33:03 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Mon, 11 Oct 2010 05:33:03 GMT) Full text and rfc822 format available.

Message #10 received at 598292-close@bugs.debian.org (full text, mbox):

From: Philipp Matthias Hahn <pmhahn@debian.org>
To: 598292-close@bugs.debian.org
Subject: Bug#598292: fixed in ike 2.1.5+dfsg-2
Date: Mon, 11 Oct 2010 05:32:07 +0000
Source: ike
Source-Version: 2.1.5+dfsg-2

We believe that the bug you reported is fixed in the latest version of
ike, which is due to be installed in the Debian FTP archive:

ike-qtgui_2.1.5+dfsg-2_amd64.deb
  to main/i/ike/ike-qtgui_2.1.5+dfsg-2_amd64.deb
ike_2.1.5+dfsg-2.diff.gz
  to main/i/ike/ike_2.1.5+dfsg-2.diff.gz
ike_2.1.5+dfsg-2.dsc
  to main/i/ike/ike_2.1.5+dfsg-2.dsc
ike_2.1.5+dfsg-2_amd64.deb
  to main/i/ike/ike_2.1.5+dfsg-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Philipp Matthias Hahn <pmhahn@debian.org> (supplier of updated ike package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 08 Oct 2010 14:57:57 +0200
Source: ike
Binary: ike ike-qtgui
Architecture: source amd64
Version: 2.1.5+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Philipp Matthias Hahn <pmhahn@debian.org>
Changed-By: Philipp Matthias Hahn <pmhahn@debian.org>
Description: 
 ike        - Shrew Soft VPN client - Daemon and libraries
 ike-qtgui  - Shrew Soft VPN client - Connection manager
Closes: 598292 598293
Changes: 
 ike (2.1.5+dfsg-2) unstable; urgency=medium
 .
   * Fix "CVE-2010-3361: insecure library loading" caused by LD_LIBRARY_PATH=:
     in debian/wrappers/iked (Closes: #598292)
   * Fix "CVE-2010-3361: insecure library loading" caused by LD_LIBRARY_PATH=:
     in debian/wrappers/ike[ac] (Closes: #598293)
Checksums-Sha1: 
 f17a3d67fb73119a091a4023d427855bb9f5125d 1084 ike_2.1.5+dfsg-2.dsc
 9f46ba6664743bfe78eaeda721cf5c6710018bab 6770 ike_2.1.5+dfsg-2.diff.gz
 22a9f39594e0d2156007566f55c0edd526087c51 232940 ike_2.1.5+dfsg-2_amd64.deb
 81e63a5384d2798bf5dd2d0ffeac50dec4fcc20d 202316 ike-qtgui_2.1.5+dfsg-2_amd64.deb
Checksums-Sha256: 
 30bdf3e950da6c1608db615b919f78e5a9911a4fb8b02968067dc27904abd62f 1084 ike_2.1.5+dfsg-2.dsc
 f115db912560ea9ded66d5509317afc76421920c39dae03559a087005ee1e822 6770 ike_2.1.5+dfsg-2.diff.gz
 8a83801236e5c98056bbe048c963cd841d9d91fc635708518a1eb54a3d85375c 232940 ike_2.1.5+dfsg-2_amd64.deb
 ffc16541bcf02d9f3f6b3dac81eccf60e0da629bcd40c5be9a40df4c2c66e40c 202316 ike-qtgui_2.1.5+dfsg-2_amd64.deb
Files: 
 b60d393f13f04ae29b5caa8636a6d323 1084 net extra ike_2.1.5+dfsg-2.dsc
 8ba1516e08d7e77732413583dcab17e0 6770 net extra ike_2.1.5+dfsg-2.diff.gz
 f51131e1e0d9ebb013621e97d01092ba 232940 net extra ike_2.1.5+dfsg-2_amd64.deb
 c47344518dc8d5ff499452ed8be290b4 202316 net extra ike-qtgui_2.1.5+dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyyn8wACgkQYPlgoZpUDjmZcACfZB5JnLUl5GsaDVWMgheDwmsE
MPcAnjg2VbrwtOms3Rsyu0lamP31Ke9a
=Ktp0
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 14 Nov 2010 07:37:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:43:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.