LD_LIBRARY_PATH in /usr/bin/exaile potentially security issue

Bug #164788 reported by Luis Mondesi on 2007-11-24
258
Affects Status Importance Assigned to Milestone
Exaile
Invalid
High
Johannes Sasongko
exaile (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: exaile

/usr/bin/exaile contains the following:

$> cat /usr/bin/exaile
#!/bin/sh
 cd /usr/share/exaile
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/firefox
 export MOZILLA_FIVE_HOME=
 exec python /usr/lib/exaile/exaile.py "$@"

This is a potential problem because of this:
http://lists.debian.org/debian-security/2007/11/msg00009.html

It should be defined as this post suggest (http://lists.debian.org/debian-security/2007/11/msg00013.html
):

#!/bin/sh
 cd /usr/share/exaile
 export LD_LIBRARY_PATH=${LD_LIBRARY_PATH+LD_LIBRARY_PATH:}/usr/lib/firefox
 export MOZILLA_FIVE_HOME=
 exec python /usr/lib/exaile/exaile.py "$@"

In other words, if LD_LIBRARY_PATH is not set (or set but empty), LD_LIBRARY_PATH should only be "/usr/lib/firefox". Without this fix, it would be defined as: ":/usr/lib/firefox". Which is a security problem because it's interpret by shells as ".:/usr/lib/firefox". Meaning that a user could inject their own libraries from the current directory.

Other References:
CVE-2005-4790
CVE-2005-4791

Luis Mondesi (lemsx1) wrote :

Sorry, this is the correct code:

#!/bin/sh
 cd /usr/share/exaile
 export LD_LIBRARY_PATH=${LD_LIBRARY_PATH+$LD_LIBRARY_PATH:}/usr/lib/firefox
 export MOZILLA_FIVE_HOME=
 exec python /usr/lib/exaile/exaile.py "$@"

Should've tested more:

$> export FOO=THIS
$> echo ${FOO:+$FOO:}BAR
THIS:BAR
$> export FOO=
$> echo ${FOO:+$FOO:}BAR
BAR
$>unset FOO
$> echo ${FOO:+$FOO:}BAR
BAR

Johannes Sasongko (sjohannes) wrote :

So I guess you mean ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:} ?

Changed in exaile:
assignee: nobody → sjohannes
importance: Undecided → High
milestone: none → 0.2.12
status: New → In Progress
Johannes Sasongko (sjohannes) wrote :

Superseded by the bug 136202 fix (we don't do LD_LIBRARY_PATH manipulation anymore).

Changed in exaile:
status: In Progress → Invalid
Daniel T Chen (crimsun) on 2008-11-15
Changed in exaile:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers