insecure library loading

Bug #650862 reported by Micah Gersten on 2010-09-29
352
This bug affects 1 person
Affects Status Importance Assigned to Milestone
edbrowse (Ubuntu)
Medium
Micah Gersten
Nominated for Lucid by Micah Gersten
gjs (Ubuntu)
Medium
Micah Gersten
Nominated for Lucid by Micah Gersten
gnome-web-photo (Ubuntu)
Medium
Micah Gersten
Nominated for Lucid by Micah Gersten
gxine (Ubuntu)
Medium
Micah Gersten
Nominated for Lucid by Micah Gersten

Bug Description

Binary package hint: gxine

When there's an empty item on the colon-separated list of LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential, local, attacker can write files to, there's a chance to exploit this
bug.

This bug affects at the very least several packages which use a wrapper around xulrunner in place of mozjs.

This is similar to CVE-2010-3349

Micah Gersten (micahg) on 2010-09-29
Changed in edbrowse (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in gjs (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in gnome-web-photo (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in gxine (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Micah Gersten (micahg) on 2010-09-29
Changed in edbrowse (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
Changed in gjs (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
Changed in gnome-web-photo (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
Changed in gxine (Ubuntu):
assignee: nobody → Micah Gersten (micahg)
Micah Gersten (micahg) on 2010-09-29
visibility: private → public
Micah Gersten (micahg) on 2010-09-29
visibility: public → private
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gjs - 0.7.1-1ubuntu3

---------------
gjs (0.7.1-1ubuntu3) maverick; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #650862)
    - debian/gjs-console.sh: use shell expansion to set LD_LIBRARY_PATH
    - CVE-2010-3349
 -- Micah Gersten <email address hidden> Wed, 29 Sep 2010 02:31:40 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package edbrowse - 3.4.1-1ubuntu2

---------------
edbrowse (3.4.1-1ubuntu2) maverick; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #650862)
    - debian/edbrowse.sh: use shell expansion to set LD_LIBRARY_PATH
    - CVE-2010-3349
 -- Micah Gersten <email address hidden> Wed, 29 Sep 2010 01:54:29 -0500

Changed in edbrowse (Ubuntu):
status: Triaged → Fix Released
Changed in gjs (Ubuntu):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gxine - 0.5.905-4ubuntu2

---------------
gxine (0.5.905-4ubuntu2) maverick; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #650862)
    - debian/gxine-wrapper.sh: use shell expansion to set LD_LIBRARY_PATH
    - CVE-2010-3349
 -- Micah Gersten <email address hidden> Wed, 29 Sep 2010 02:39:00 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-web-photo - 0.8-0ubuntu5

---------------
gnome-web-photo (0.8-0ubuntu5) maverick; urgency=low

  * SECURITY UPDATE: insecure library loading (LP: #650862)
    - debian/scripts/gnome-web-photo: use shell expansion to set LD_LIBRARY_PATH
    - CVE-2010-3349
 -- Micah Gersten <email address hidden> Wed, 29 Sep 2010 02:36:38 -0500

Changed in gnome-web-photo (Ubuntu):
status: Triaged → Fix Released
Changed in gxine (Ubuntu):
status: Triaged → Fix Released
Micah Gersten (micahg) on 2010-09-29
visibility: private → public
Micah Gersten (micahg) on 2010-10-03
summary: - CVE-2010-3349: insecure library loading
+ insecure library loading
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers