Package: trickle
Version: 1.07-5
Severity: normal
Tags: upstream
Hello, here's a copy of a mail I recently sent to the Security Team:
-8<-
Yesterday I was looking at the code of the trickle package, to see how
it worked. It uses the LD_PRELOAD mechanism to load a library that will
take care that no more bandwidth than the configured limits will be used.
This library lives in /usr/lib/trickle/trickle-overload.so. However,
the trickle.c program will prefer loading it from the current working
directory if a file named trickle-overload.so exists there.
I was wondering if this consitutes any kind of vulnerability, loading by
default arbitrary code from the current directory. The code can be seen
in trickle-1.07/trickle.c:
char *trypaths[] = {
LIBNAME,
LIBDIR "/" LIBNAME,
NULL
};
...
for (pathp = trypaths; *pathp != NULL; pathp++)
if (lstat(*pathp, &sb) == 0)
break;
...
if (path[0] != '/') {
/* make path absolute */
}
...
setenv("LD_PRELOAD", path, 1);
-8<-
Their response was:
-8<-
It should only load the library from a static system path under the exclusive
control of the local admin, otherwise someone could trick a user into running
trickle from a directory where the attacker has write access and placed a
manipulated library.
I'm not convinced this would warrant a DSA, but you should report this
upstream.
-8<-
Cheers,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Manolo Tena - Loco por verte
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]