1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
|
From c244a47d387d2004bd9af181bd78e2a374b93f50 Mon Sep 17 00:00:00 2001
From: Yann Dirson <ydirson@free.fr>
Date: Sat, 18 Oct 2014 18:28:58 +0200
Subject: [PATCH] Avoid LD_LIBRARY_PATH vulnerability CVE-2010-3382.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3382
http://security-tracker.debian.org/tracker/CVE-2010-3382
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598303
Raphael Geissert have found that this package contains a script that
can be abused by an attacker to execute arbitrary code.
The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.
Vulnerable code follows:
/usr/bin/tauex line 197:
export LD_LIBRARY_PATH=$TAUROOT/$TAUARCH/lib/$theBinding:$LD_LIBRARY_PATH
When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.
Patch by Julien Cristau <jcristau@debian.org>, adjusted for current
version and extended to tau2slog2 script.
---
tools/src/tauex | 4 ++--
utils/slogconverter/tau2slog2.skel | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/src/tauex b/tools/src/tauex
index 1b9f681..6941240 100755
--- a/tools/src/tauex
+++ b/tools/src/tauex
@@ -228,11 +228,11 @@ for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ; do
done
if [ "$SICORTEX" = "yes" ] ; then
- TAUEX_LD_LIBRARY_PATH=$PREFIX/lib32/$theBinding:$LD_LIBRARY_PATH
+ TAUEX_LD_LIBRARY_PATH="$PREFIX/lib32/$theBinding${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
TAUEX_LD_LIBRARY_PATH=$PREFIX/lib64/$theBinding:$TAUEX_LD_LIBRARY_PATH
TAUEX_LD_PRELOAD=libTAU.so:$LD_PRELOAD
else
- TAUEX_LD_LIBRARY_PATH=$BASEDIR/lib/$theBinding:$LD_LIBRARY_PATH
+ TAUEX_LD_LIBRARY_PATH="$BASEDIR/lib/$theBinding${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
TAUEX_LD_PRELOAD=$BASEDIR/lib/$theBinding/libTAU.so:$LD_PRELOAD
fi
diff --git a/utils/slogconverter/tau2slog2.skel b/utils/slogconverter/tau2slog2.skel
index 1490cae..638ac83 100755
--- a/utils/slogconverter/tau2slog2.skel
+++ b/utils/slogconverter/tau2slog2.skel
@@ -21,7 +21,7 @@ echo TRACE_LIBDIR=$2/$4/lib
if [ $4 != solaris2 ]
then
-echo 'export LD_LIBRARY_PATH=$TRACE_LIBDIR:$LD_LIBRARY_PATH'
+echo 'export LD_LIBRARY_PATH=$TRACE_LIBDIR${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}'
fi
echo '# Set PATH to the jar needed by the program'
--
2.1.1
|