Debian Bug report logs - #598422
scilab: CVE-2010-3378: insecure library loading

version graph

Package: scilab; Maintainer for scilab is Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>; Source for scilab is src:scilab.

Reported by: Raphael Geissert <geissert@debian.org>

Date: Tue, 28 Sep 2010 21:09:14 UTC

Severity: grave

Tags: security

Found in version scilab/5.2.2-4

Fixed in version scilab/5.2.2-8

Done: Sylvestre Ledru <sylvestre@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#598422; Package scilab. (Tue, 28 Sep 2010 21:09:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Tue, 28 Sep 2010 21:09:17 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: submit@bugs.debian.org
Subject: scilab: CVE-2010-3378: insecure library loading
Date: Tue, 28 Sep 2010 21:07:17 +0000
Package: scilab
Version: 5.2.2-4
Severity: grave
Tags: security
User: team@security.debian.org
Usertags: ldpath

Hello,

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/scilab-adv-cli line 280:
                    LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH"
/usr/bin/scilab-adv-cli line 459:
		    LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab-adv-cli line 518:
        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/"
/usr/bin/scilab-adv-cli line 534:
LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH
/usr/bin/scilab line 283:
                    LD_LIBRARY_PATH="$JAVA_HOME/../Libraries:$LD_LIBRARY_PATH"
/usr/bin/scilab line 462:
		    LD_LIBRARY_PATH="$JRE_HOME/lib/$proc/:$JRE_HOME/lib/$proc/server/:$JRE_HOME/lib/$proc/native_threads/:$LD_LIBRARY_PATH"
/usr/bin/scilab line 521:
        LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/sw/lib/"
/usr/bin/scilab line 537:
LD_LIBRARY_PATH=/usr/lib/scilab/:/usr/lib64/scilab/:$LD_LIBRARY_PATH

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3378. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3378
[1] http://security-tracker.debian.org/tracker/CVE-2010-3378

Sincerely,
Raphael Geissert




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>:
Bug#598422; Package scilab. (Thu, 30 Sep 2010 00:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>. (Thu, 30 Sep 2010 00:45:03 GMT) Full text and rfc822 format available.

Message #10 received at 598422@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 598422@bugs.debian.org
Subject: Re: Bug#598422: scilab: CVE-2010-3378: insecure library loading
Date: Wed, 29 Sep 2010 19:42:59 -0500
On 28 September 2010 16:15, Sylvestre Ledru <sylvestre@debian.org> wrote:
>
>> The vulnerability is introduced by an insecure change to
>> LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for
>> libraries on a directory other than the standard paths.
> OK. I will fix that asap (today or tomorrow)
> To you, what would be the best way to fix this issue ?

If you prefer readability:
if [ -n "$LD_LIBRARY_PATH" ]; then
LD_LIBRARY_PATH=/foo
else
LD_LIBRARY_PATH=/foo:$LD_LIBRARY_PATH
fi

But if you want a one-liner to avoid duplication:
LD_LIBRARY_PATH=/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

(be careful with the two colons, removing the first one re-introduces
the vulnerability)

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Reply sent to Sylvestre Ledru <sylvestre@debian.org>:
You have taken responsibility. (Sat, 02 Oct 2010 22:21:13 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <geissert@debian.org>:
Bug acknowledged by developer. (Sat, 02 Oct 2010 22:21:13 GMT) Full text and rfc822 format available.

Message #15 received at 598422-close@bugs.debian.org (full text, mbox):

From: Sylvestre Ledru <sylvestre@debian.org>
To: 598422-close@bugs.debian.org
Subject: Bug#598422: fixed in scilab 5.2.2-8
Date: Sat, 02 Oct 2010 22:18:14 +0000
Source: scilab
Source-Version: 5.2.2-8

We believe that the bug you reported is fixed in the latest version of
scilab, which is due to be installed in the Debian FTP archive:

libscilab-java_5.2.2-8_amd64.deb
  to main/s/scilab/libscilab-java_5.2.2-8_amd64.deb
scilab-cli_5.2.2-8_all.deb
  to main/s/scilab/scilab-cli_5.2.2-8_all.deb
scilab-data_5.2.2-8_all.deb
  to main/s/scilab/scilab-data_5.2.2-8_all.deb
scilab-doc-fr_5.2.2-8_all.deb
  to main/s/scilab/scilab-doc-fr_5.2.2-8_all.deb
scilab-doc-pt-br_5.2.2-8_all.deb
  to main/s/scilab/scilab-doc-pt-br_5.2.2-8_all.deb
scilab-doc_5.2.2-8_all.deb
  to main/s/scilab/scilab-doc_5.2.2-8_all.deb
scilab-full-bin-dbg_5.2.2-8_amd64.deb
  to main/s/scilab/scilab-full-bin-dbg_5.2.2-8_amd64.deb
scilab-full-bin_5.2.2-8_amd64.deb
  to main/s/scilab/scilab-full-bin_5.2.2-8_amd64.deb
scilab-include_5.2.2-8_amd64.deb
  to main/s/scilab/scilab-include_5.2.2-8_amd64.deb
scilab-minimal-bin-dbg_5.2.2-8_amd64.deb
  to main/s/scilab/scilab-minimal-bin-dbg_5.2.2-8_amd64.deb
scilab-minimal-bin_5.2.2-8_amd64.deb
  to main/s/scilab/scilab-minimal-bin_5.2.2-8_amd64.deb
scilab-test_5.2.2-8_all.deb
  to main/s/scilab/scilab-test_5.2.2-8_all.deb
scilab_5.2.2-8.diff.gz
  to main/s/scilab/scilab_5.2.2-8.diff.gz
scilab_5.2.2-8.dsc
  to main/s/scilab/scilab_5.2.2-8.dsc
scilab_5.2.2-8_all.deb
  to main/s/scilab/scilab_5.2.2-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvestre Ledru <sylvestre@debian.org> (supplier of updated scilab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 30 Sep 2010 15:17:57 +0200
Source: scilab
Binary: scilab-cli scilab scilab-data scilab-include scilab-minimal-bin scilab-full-bin scilab-minimal-bin-dbg scilab-full-bin-dbg libscilab-java scilab-doc scilab-doc-fr scilab-doc-pt-br scilab-test
Architecture: source all amd64
Version: 5.2.2-8
Distribution: unstable
Urgency: high
Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Sylvestre Ledru <sylvestre@debian.org>
Description: 
 libscilab-java - Scientific software package for numerical computations (Java API)
 scilab     - Scientific software package for numerical computations
 scilab-cli - Scientific software package - Command Line Interpreter
 scilab-data - Scientific software package for numerical computations (data file
 scilab-doc - Scientific software package (english documentations)
 scilab-doc-fr - Scientific software package (french documentation)
 scilab-doc-pt-br - Scientific software package (Brazilian Portuguese documentation)
 scilab-full-bin - Scientific software package for numerical computations (all binar
 scilab-full-bin-dbg - Scientific software package (scilab debugging symbols)
 scilab-include - Scientific software package for numerical computations (include f
 scilab-minimal-bin - Scientific software package for numerical computations (minimal b
 scilab-minimal-bin-dbg - Scientific software package (scilab-cli debugging symbols)
 scilab-test - Scientific software package for numerical computations (test file
Closes: 598422 598423
Changes: 
 scilab (5.2.2-8) unstable; urgency=high
 .
   * SECURITY UPDATE:
     - (CVE-2010-3378) : Insecure library loading (Closes: #598422, #598423)
Checksums-Sha1: 
 11d8c817f809428ae8710fd08750cb4c23a768fc 2119 scilab_5.2.2-8.dsc
 c34d2a42d77124185bb38cb2721246a75e9c31ff 39717 scilab_5.2.2-8.diff.gz
 26f812b43ec19da6d493fdc1ebaa364ea268672f 38442 scilab-cli_5.2.2-8_all.deb
 483f28538a96fe9c8b27193be050b29328911c75 218996 scilab_5.2.2-8_all.deb
 61576001876d00a6340e2edaa57b755e1e4b560c 11012190 scilab-data_5.2.2-8_all.deb
 218d45a497ae63ecb98cd73f820eb1030d61fee5 2428326 scilab-doc_5.2.2-8_all.deb
 2f8f96e0f3289b0250bbe6104efab39b3ce4dfb3 302206 scilab-doc-fr_5.2.2-8_all.deb
 7d11904503f6ff18e7d96898677fea792f0ca476 536090 scilab-doc-pt-br_5.2.2-8_all.deb
 7056af7f2803da05b2c015ab0f14c1d30d0f9e62 32197860 scilab-test_5.2.2-8_all.deb
 aaf1b1a015f4e7323fcd534b071b775d4200ebe0 90290 scilab-include_5.2.2-8_amd64.deb
 336a6737bbecede15a2f50c12c3ac637e92ba5a5 2872572 scilab-minimal-bin_5.2.2-8_amd64.deb
 542ab313f6e72626ceb0f53c2d4e440950f94a05 1536550 scilab-full-bin_5.2.2-8_amd64.deb
 522801d1401c919dd62b7f822aae722252d2d3bd 3478794 scilab-minimal-bin-dbg_5.2.2-8_amd64.deb
 a1c33d61b876065ae10898940d03c57d15684372 4764380 scilab-full-bin-dbg_5.2.2-8_amd64.deb
 ae6b3026672ee7704449f98e1884768c0263e608 55756 libscilab-java_5.2.2-8_amd64.deb
Checksums-Sha256: 
 60b09a6aacb5564e6c7443ce95c571dc3664be35eee948416f81a2c64d4efdb2 2119 scilab_5.2.2-8.dsc
 344e9221b09101ba85b4def8b1427b04081d5a0961df5014495d136e1f7d3b4b 39717 scilab_5.2.2-8.diff.gz
 f4e8fa487df11e4fac2d795eded1181fdc6fb04f206ce71fae302a44f2699535 38442 scilab-cli_5.2.2-8_all.deb
 fad39fde0b6d0dde75dc33809585fc5f4e9a1d4497e8d580cbcf0ab1d9184545 218996 scilab_5.2.2-8_all.deb
 7b866085d4f0c4c87920f6afa125ff391c030e92f5b2fabdb8eabfea9b0ab549 11012190 scilab-data_5.2.2-8_all.deb
 a641506850750d37f7c50668a47b8675c7a551ff7664b2222451769fdff1d1a4 2428326 scilab-doc_5.2.2-8_all.deb
 0ffa952055dde6d4015e0b8c33493a5dccdd4926e4b5276a578a3c5a09b0295f 302206 scilab-doc-fr_5.2.2-8_all.deb
 14dc4e0cb7e59e8239d2aff5084dfaf0df3c6966e4e1877e5c6407f435e11797 536090 scilab-doc-pt-br_5.2.2-8_all.deb
 834ce75807bb752a2154986bef7570649c90b759c670d8d5120992c9d8bfb8df 32197860 scilab-test_5.2.2-8_all.deb
 4f26faeb542ecf6072245dc0fb4d845bdfecc965a462cba49a72d81b9d50e3e3 90290 scilab-include_5.2.2-8_amd64.deb
 761d598d313e2a501fe04a877e43528a97971a96c7f7ff2dfde748124a81ecf4 2872572 scilab-minimal-bin_5.2.2-8_amd64.deb
 90f16360c77c59ded925b2104932234f590a7d50f28a4e2ba4b727a70232fc41 1536550 scilab-full-bin_5.2.2-8_amd64.deb
 62013880b382a14e568fe8d6ea5486e21db4972a39fc1fce267327eab3023110 3478794 scilab-minimal-bin-dbg_5.2.2-8_amd64.deb
 4a5d118b2b1def87114157074bb4b47b385cabbbacd22d6f55edc15f333de33c 4764380 scilab-full-bin-dbg_5.2.2-8_amd64.deb
 ee80858f66d4118cb112b832a628171a04e52fb9c74fd881c5b121494734c26a 55756 libscilab-java_5.2.2-8_amd64.deb
Files: 
 f347b28f57157147af709e0cad8e4a22 2119 math optional scilab_5.2.2-8.dsc
 ea84cd3dc2f70db3eac12d6b71015237 39717 math optional scilab_5.2.2-8.diff.gz
 3bd3364679bb0278b2c05eded00f7ee8 38442 math optional scilab-cli_5.2.2-8_all.deb
 65130f34da4404fb777f49d0ebd39a8f 218996 math optional scilab_5.2.2-8_all.deb
 a03dd69dc85de5c4c6606f4461a099d0 11012190 math optional scilab-data_5.2.2-8_all.deb
 bb57142ccdd301f15de5ecb8b97e706d 2428326 doc optional scilab-doc_5.2.2-8_all.deb
 6b49ce1d72e88ba28ee83f74cc212d6f 302206 doc optional scilab-doc-fr_5.2.2-8_all.deb
 6f04c1a0a8b35567b680154fe6183383 536090 doc optional scilab-doc-pt-br_5.2.2-8_all.deb
 86afed576037a556dc480956657dabdf 32197860 math optional scilab-test_5.2.2-8_all.deb
 d82010d2018e57305b3701758622e567 90290 math optional scilab-include_5.2.2-8_amd64.deb
 bcfce66aba842033e58f2697a94993dd 2872572 math optional scilab-minimal-bin_5.2.2-8_amd64.deb
 f0af0d7d33e3e1dd32e874ffde8e8b1c 1536550 math optional scilab-full-bin_5.2.2-8_amd64.deb
 0733c4704b94b381f0dc80d74e99c7fe 3478794 debug extra scilab-minimal-bin-dbg_5.2.2-8_amd64.deb
 10b31aa0e1c0c20d8260208138dfa146 4764380 debug extra scilab-full-bin-dbg_5.2.2-8_amd64.deb
 7b240948426c9fa842130f27814bbb0f 55756 java optional libscilab-java_5.2.2-8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkynqHsACgkQiOXXM92JlhCWwQCfWWPKgPzEr7eAv2vmTLys4SFb
svEAoOMaDYAekAIhK+9hfwoYetp0vdEP
=RgNO
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 03 Nov 2010 07:29:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:09:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.