Bug#598283: ardour: CVE-2010-3349: insecure library loading

Adrian Knoth adi at drcomp.erfurt.thur.de
Tue Sep 28 11:48:06 UTC 2010


On Tue, Sep 28, 2010 at 04:21:09AM +0000, Raphael Geissert wrote:

Hi!

> During a review of the Debian archive, I've found your package to
> contain a script that can be abused by an attacker to execute arbitrary
> code.
> /usr/bin/ardour2 line 5:
> export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH 

Can you elaborate on this or give a link with a more detailed
explanation?

LD_LIBRARY_PATH is a well-known feature, and every binary can, by
design, be run with libraries from different paths, including CWD, if
the user sets LD_LIBRARY_PATH appropriately.

I don't see how importing LD_LIBRARY_PATH in a script is any different
from running an arbitrary binary (also with LD_LIBRARY_PATH being set).
According to your logic, every dynamically linked binary would be
vulnerable.

In other words, I don't see a security issue at all. If the user
deliberately sets LD_LIBRARY_PATH, it's his ultimate responsibility.
LD_LIBRARY_PATH is just a more cumbersome way of running completely
different code.


I might miss something, but unless you rely on RPATH, you could file
this kind of bug against almost every package. And given that
LD_LIBRARY_PATH is a valid use case, we somehow need to pass it to the
binary. I don't see that manually filtering LD_LIBRARY_PATH is any good.
The user sets it, the user gets it.


Please feel free to correct my understanding of the "issue" at hand.

Cheerio

-- 
mail: adi at thur.de  	http://adi.thur.de	PGP/GPG: key via keyserver





More information about the pkg-multimedia-maintainers mailing list