-------- Original Message --------
Subject:        [LAD] interesting security update to bristol just came out
Date:   Mon, 15 Nov 2010 09:39:08 -0800
From:   Niels Mayer <nielsma...@gmail.com>
To: Linux Audio Developers <linux-audio-...@lists.linuxaudio.org>, PlanetCCRMA mailinglist <planetcc...@ccrma.stanford.edu>, fedora-music-list <fedora-music-l...@redhat.com>



I noticed that bristol-0.40.7-7 updated due to the following security
update. What got me curious is what kind of security issue could
running bristol possibly pose?? -- none on it's own, but another rogue
package could exploit this issue ...

https://bugzilla.redhat.com/show_bug.cgi?id=638376
.................
Raphael Geissert conducted a review of various packages in Debian and found
that bristol contained a script that could be abused by an attacker to execute
arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and
environment variable used by ld.so(8) to look for libraries in directories
other than the standard paths.  When there is an empty item in the
colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a
'.' (current working directory).  If the given script is executed from a
directory where a local attacker could write files, there is a chance for
exploitation.

In Fedora, /usr/bin/startBristol re-sets LD_LIBRARY_PATH insecurely:

declare -x
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:${LD_LIBRARY_PATH}:${BRISTOL}/lib

A solution is to patch the script to test if $LD_LIBRARY_PATH is set first
before attempting to modify it:

if [ -z ${LD_LIBRARY_PATH} ]; then
    export LD_LIBRARY_PATH=/usr/lib/foo
else
    export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH}
fi

This issue has been assigned the name CVE-2010-3351.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598285
...........................

Niels
http://nielsmayer.com
_______________________________________________
Linux-audio-dev mailing list
linux-audio-...@lists.linuxaudio.org
http://lists.linuxaudio.org/listinfo/linux-audio-dev

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to