Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 644933 (CVE-2010-3999) - CVE-2010-3999 gnucash: insecure library loading vulnerability
Summary: CVE-2010-3999 gnucash: insecure library loading vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3999
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 644934
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-20 16:08 UTC by Vincent Danen
Modified: 2019-09-29 12:40 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-12-22 15:41:54 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2010-10-20 16:08:25 UTC
Ludwig Nussel discovered that gnucash contained a script that could be abused by an attacker to execute arbitrary code.

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths.  When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory).  If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation.

In Fedora, /usr/bin/gnc-test-env re-sets LD_LIBRARY_PATH insecurely:

106 (display
107  (adapt-dirsep
108   (get-dir-adder "LD_LIBRARY_PATH" library-dirs "/.libs" path-sep-str))) 

which could result in something like this if called with, say, --library-dir /foo:

LD_LIBRARY_PATH="/foo/.libs:${LD_LIBRARY_PATH}"  export LD_LIBRARY_PATH;

I'm not sure what the best solution here to fix this flaw is, however it looks as though gnc-test-env is only required for building gnucash, so it should probably be removed from the RPM package (it isn't something an end-user would be running normally).

Comment 1 Vincent Danen 2010-10-20 16:09:35 UTC
Created gnucash tracking bugs for this issue

Affects: fedora-all [bug 644934]
Affects: fedora-all [bug 644934]

Comment 2 Tomas Hoger 2010-12-22 15:41:54 UTC
Fixed in Fedora 13 and 14, and EPEL 4 and 5.

Comment 3 info@kobaltwit.be 2011-11-10 17:19:35 UTC
I don't seem to remember any notice on the usual gnucash channels (bugzilla, mailing lists,...) regarding this issue.

I have just stumbled upon this one here by accident. Just for your reference, I have committed a fix to the upstream gnucash source that will skip the unsafe file from installation altogether. As you say, it's only used by developers and packagers for running tests.

Comment 5 info@kobaltwit.be 2011-11-11 11:07:05 UTC
Yes, that's the one.

Comment 6 Vincent Danen 2011-11-15 17:46:38 UTC
Perfect, thank you for the confirmation.


Note You need to log in before you can comment on or make changes to this bug.