On Tue, Sep 28, 2010 at 04:23:26 +0000, Raphael Geissert wrote: > Package: vdr-dbg > Version: 1.6.0-18 > Severity: grave > Tags: security > User: t...@security.debian.org > Usertags: ldpath > > Hello, > > During a review of the Debian archive, I've found your package to > contain a script that can be abused by an attacker to execute arbitrary > code. > > The vulnerability is introduced by an insecure change to > LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for > libraries on a directory other than the standard paths. > > Vulnerable code follows: > > /usr/bin/vdrleaktest line 73: > LANG=C LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" \ > valgrind --tool=memcheck --leak-check=yes --num-callers=20 \ > --suppressions=/usr/share/vdr/valgrind.supp \ > /usr/bin/vdr-dbg -v $VIDEO_DIR -c $CFG_DIR -L $PLUGIN_DIR -r $REC_CMD \ > -E $EPG_FILE -g /tmp $OPTIONS --port $SVDRP_PORT --lirc \ > "$@" > > When there's an empty item on the colon-separated list of > LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.) > If the given script is executed from a directory where a potential, > local, attacker can write files to, there's a chance to exploit this > bug. > LD_LIBRARY_PATH is colon-separated, though, not semicolon-separated, so LD_LIBRARY_PATH="/usr/lib/debug;$LD_LIBRARY_PATH" is broken, but not a security issue. Besides, this looks like a debugging utility so I don't think it would warrant 'grave' severity even if the bug was there.
Cheers, Julien
signature.asc
Description: Digital signature
