Hi, On Fri, Oct 01, 2010 at 06:11:08PM +0200, Lars Ellenberg wrote: > On Thu, Sep 30, 2010 at 10:44:42AM +0900, Simon Horman wrote: > > Hi linux-ha-dev, > > > > I received this through the Debian bug tracker. > > Its not immediately clear to me what an appropriate fix would be. > > > > ----- Forwarded message from Raphael Geissert <geiss...@debian.org> ----- > > > > Date: Thu, 30 Sep 2010 00:36:56 +0000 > > From: Raphael Geissert <geiss...@debian.org> > > To: sub...@bugs.debian.org > > Subject: [Debian-ha-maintainers] Bug#598549: cluster-agents: CVE-2010-3389: > > insecure library loading > > Resent-From: Raphael Geissert <geiss...@debian.org> > > > > Package: cluster-agents > > Version: 1:1.0.3-3 > > Severity: important > > Tags: security > > User: t...@security.debian.org > > Usertags: ldpath > > > > Hello, > > > > During a review of the Debian archive, I've found your package to > > contain a script that can be abused by an attacker to execute arbitrary > > code. > > > > The vulnerability is introduced by an insecure change to > > LD_LIBRARY_PATH, an environment variable used by ld.so(8) to look for > > libraries on a directory other than the standard paths. > > > > Vulnerable code follows: > > > > /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 969: > > if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then > > /usr/lib/ocf/resource.d/heartbeat/SAPDatabase line 970: > > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH > > /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 299: > > if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then > > /usr/lib/ocf/resource.d/heartbeat/SAPInstance line 300: > > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH > > > > When there's an empty item on the colon-separated list of > > LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) > > If the given script is executed from a directory where a potential, > > local, attacker can write files to, there's a chance to exploit this > > bug. > > So it is run periodically by root (well, the lrmd, as root). > Even though the cwd of lrmd should be ok, permission wise, in case the > script does cd into somewhere (I don't think it does, now) where someone > with lesser privilege was able to place some evil *.so, the next command > executed by the script may do interesting things.
I really doubt that, though it looks dangerous, there is a way to exploit this without root access. > Ok. > > Simply doing > #remove it, if present. > LD_LIBRARY_PATH=${LD_LIBRARY_PATH#"$DIR_EXECUTABLE"} > #remove possible remaining leading : > LD_LIBRARY_PATH=${LD_LIBRARY_PATH#:} > #prepend it > LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH > #remove possible trailing : > LD_LIBRARY_PATH=${LD_LIBRARY_PATH%:} Hmm, this smells like bashisms, are they? Cheers, Dejan > Would do away with the empty component as well as the if [ `echo | grep` ]. > > > This vulnerability has been assigned the CVE id CVE-2010-3389. Please make > > sure > > you mention it when forwarding this report to upstream and when fixing > > this bug (everywhere: upstream and here at Debian.) > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3389 > > [1] http://security-tracker.debian.org/tracker/CVE-2010-3389 > > > > Sincerely, > > Raphael Geissert > _______________________________________________________ > Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org > http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev > Home Page: http://linux-ha.org/ _______________________________________________________ Linux-HA-Dev: Linux-HA-Dev@lists.linux-ha.org http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev Home Page: http://linux-ha.org/