Debian Bug report logs - #598296
libvips-tools: CVE-2010-3364: insecure library loading

version graph

Package: libvips-tools; Maintainer for libvips-tools is Jay Berkenbilt <qjb@debian.org>; Source for libvips-tools is src:vips.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 04:24:46 UTC

Severity: grave

Tags: security

Found in version vips/7.22.2-2

Fixed in version vips/7.22.4-1

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#598296; Package libvips-tools. (Tue, 28 Sep 2010 04:24:49 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>. (Tue, 28 Sep 2010 04:24:49 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: libvips-tools: CVE-2010-3364: insecure library loading
Date: Tue, 28 Sep 2010 04:22:12 +0000
Package: libvips-tools
Version: 7.22.2-2+b1
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/vips-7.22 line 108:
	export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3364. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3364
[1] http://security-tracker.debian.org/tracker/CVE-2010-3364

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598296; Package libvips-tools. (Sat, 02 Oct 2010 17:09:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 02 Oct 2010 17:09:11 GMT) Full text and rfc822 format available.

Message #10 received at 598296@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Raphael Geissert <geissert@debian.org>
Cc: 598296@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#598296: libvips-tools: CVE-2010-3364: insecure library loading
Date: Sat, 02 Oct 2010 13:05:08 -0400
forwarded 598296
thanks

> Vulnerable code follows:
>
> /usr/bin/vips-7.22 line 108:
> 	export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH
>
> When there's an empty item on the colon-separated list of
> LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
> If the given script is executed from a directory where a potential,
> local, attacker can write files to, there's a chance to exploit this
> bug.

I've forwarded the bug report to the upstream author and have suggested
the fix of replacing

  export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH

with

  export LD_LIBRARY_PATH=$VIPSHOME/lib${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}

which is the usual way that I deal with appending to colon-separated
variables.  I haven't indicated where the bug has been forwarded to
since I just sent it personally to the author.  They don't have a bug
tracking system, and I didn't mail it to the list....

-- 
Jay Berkenbilt <qjb@debian.org>




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#598296; Package libvips-tools. (Sun, 03 Oct 2010 22:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sun, 03 Oct 2010 22:09:03 GMT) Full text and rfc822 format available.

Message #15 received at 598296@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 598296@bugs.debian.org
Subject: upstream has acknowledged bug
Date: Sun, 03 Oct 2010 18:05:09 -0400
Upstream has acknowledged and committed a fix to this problem and will
be releasing a new version that includes the fix.  Since this version of
vips/nip2 is already not in squeeze, I'll wait until the new version
comes out and re-upload.  I can backport to squeeze if/when appropriate
since that version most likely also has the problem.




Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. (Sat, 09 Oct 2010 22:03:14 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sat, 09 Oct 2010 22:03:14 GMT) Full text and rfc822 format available.

Message #20 received at 598296-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 598296-close@bugs.debian.org
Subject: Bug#598296: fixed in vips 7.22.4-1
Date: Sat, 09 Oct 2010 22:02:37 +0000
Source: vips
Source-Version: 7.22.4-1

We believe that the bug you reported is fixed in the latest version of
vips, which is due to be installed in the Debian FTP archive:

libvips-dev_7.22.4-1_amd64.deb
  to main/v/vips/libvips-dev_7.22.4-1_amd64.deb
libvips-doc_7.22.4-1_all.deb
  to main/v/vips/libvips-doc_7.22.4-1_all.deb
libvips-tools_7.22.4-1_amd64.deb
  to main/v/vips/libvips-tools_7.22.4-1_amd64.deb
libvips15_7.22.4-1_amd64.deb
  to main/v/vips/libvips15_7.22.4-1_amd64.deb
python-vipscc_7.22.4-1_amd64.deb
  to main/v/vips/python-vipscc_7.22.4-1_amd64.deb
vips_7.22.4-1.debian.tar.gz
  to main/v/vips/vips_7.22.4-1.debian.tar.gz
vips_7.22.4-1.dsc
  to main/v/vips/vips_7.22.4-1.dsc
vips_7.22.4.orig.tar.gz
  to main/v/vips/vips_7.22.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated vips package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Oct 2010 10:39:23 -0400
Source: vips
Binary: libvips15 libvips-dev libvips-tools python-vipscc libvips-doc
Architecture: source all amd64
Version: 7.22.4-1
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libvips-dev - image processing system good for very large images (dev)
 libvips-doc - image processing system good for very large images (doc)
 libvips-tools - image processing system good for very large images (tools)
 libvips15  - image processing system good for very large images
 python-vipscc - image processing system good for very large images (tools)
Closes: 598296
Changes: 
 vips (7.22.4-1) unstable; urgency=low
 .
   * New upstream release
   * Upstream release includes fix to CVE-2010-3364: insecure library
     loading.  (Closes: #598296)
Checksums-Sha1: 
 39ae95983d9dfcd673dbbe82bb2a80173e36ea34 2113 vips_7.22.4-1.dsc
 77fb29e97b31b45ae62e163f379e5bd7397e703f 3226315 vips_7.22.4.orig.tar.gz
 3fe60aa2b7aec11ec4a051b025c874c47a1853ba 7410 vips_7.22.4-1.debian.tar.gz
 05bf3d5e622a82ad5714d1caf23f742347d089a7 423696 libvips-doc_7.22.4-1_all.deb
 0e6b44c2adbcbb97517dd1e75fc08173e20d9db4 655792 libvips15_7.22.4-1_amd64.deb
 352756020a1548a80d40a3aba5f2c587932e4b85 1003778 libvips-dev_7.22.4-1_amd64.deb
 bfa9f1acaca3f4ed7f2fdaac4dcf906b50b699ce 88586 libvips-tools_7.22.4-1_amd64.deb
 0608f76ded31bb717ef9038919b4550bdeccd63c 1615832 python-vipscc_7.22.4-1_amd64.deb
Checksums-Sha256: 
 3117c26dc09ee5803525f1a07a21d7d13cd0ba0c45405f41552ef95d5ccf97ee 2113 vips_7.22.4-1.dsc
 b46e261208d83fc79ca3a3c87c54ccac432d1d2117c3f789715491e35bb9a514 3226315 vips_7.22.4.orig.tar.gz
 911265225b1958017114d1cafbd2595e390b70a180f4678e53f9cb81b45cafbf 7410 vips_7.22.4-1.debian.tar.gz
 1840204f940f7682d01e8e1555ec54a32d6d6c464e5f7511308a5cfb135f1a03 423696 libvips-doc_7.22.4-1_all.deb
 48a73ca56e41931aea4e695d09459718e0f1fdd4fbab97b7890aa12e2813338f 655792 libvips15_7.22.4-1_amd64.deb
 0144130e9acfa47ba1e967b1d421de3ee250130fd613f21479f7a1e5d7c6624d 1003778 libvips-dev_7.22.4-1_amd64.deb
 3a9521efc8a1fae19fe61475dcba87314266ccb558dfbbd9f601069b67bc4836 88586 libvips-tools_7.22.4-1_amd64.deb
 06b653a8cc98c4ca769cf277fb2f493c968705dafd87f21c4f7f104ef9da6823 1615832 python-vipscc_7.22.4-1_amd64.deb
Files: 
 c7387669fe9a2c1c16c49262bc6c27af 2113 libs optional vips_7.22.4-1.dsc
 852913223ce5dc115bc7088e7c9d1596 3226315 libs optional vips_7.22.4.orig.tar.gz
 fae86735d17418fa47c39202535ef40d 7410 libs optional vips_7.22.4-1.debian.tar.gz
 3a2a06adf8f73d965672318a6e664af3 423696 doc optional libvips-doc_7.22.4-1_all.deb
 473565858298c0bdd8cd4edf15b8217a 655792 libs optional libvips15_7.22.4-1_amd64.deb
 18fe49642606d9b454dd72fc546f0957 1003778 libdevel optional libvips-dev_7.22.4-1_amd64.deb
 ceb39a028624bd48ab1e2bb840e527bb 88586 graphics optional libvips-tools_7.22.4-1_amd64.deb
 72407f9cfee4dce66661c4bf1e93f59d 1615832 python optional python-vipscc_7.22.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMsIQLAAoJEIp10QmYASx+dWMP/1eWLgAqSC3F9vhBWm3pFgwK
Q1sKxpfvja92pkFakSCVUcdSn2s10K6lZzRfQMEMlVai6x9YduddkZQWDALdDg4h
pm7b1Yrl7hBLpZRGbvpT7Wh7mOKPTkwHd6A8N8Rzi5FPyR6ezfn03Pk44ttNTNqC
UZaIqS7AqWTGEcsvaqlniBAbQNsXELo7ytc0boG7fZ24wGyaIeeIjyVAg0XdL2Gn
W011RU1+sWR/NcpbXGD3EUvRrSuUXtx2h/Q8rlQLUI7NpmYb0EO+jt7WZlVJbFuR
ZhWuyLdiwSyzFzOoA1cc90y0KsMEILn8UyiDFHzhYHc8Z4yc2/2evq/YJsIvuVxL
rclyPpUH5GnRpGUz3/SthAErwOoiDOQIyaOw3jwtQHzLw4TwX9F06h38oRpCNgU4
ipIuMkp4rrMV6Dxw6I6SUbzAWBSqShMLf2NSYd83EKQ99EriclSet0oAycSJqp8H
VlTn0OKhRriAK4GM1JNbU8MG2HADn3MLjPXcS4AQQJsdVDRP2gpOiQaPtoUevidk
tnqM5mjwpu/4rpjKlhu3UPGIsLafOQM4A3ccHNiVunMYWNoK3sJntEJCJX5MkjJC
u9bfPoFYMOTsMFvW/eq4lbRsfjC3Q+OOPKuSIP+enn2vPAg5dRyojL3smwzql4ay
uLTxHvdHf/YPJZYjKY8z
=DKos
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Nov 2010 07:37:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 08:36:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.