oss-sec mailing list archives
CVE Request: sblim-sfcb: insecure LD_LIBRARY_PATH usage
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 06 Jul 2012 15:41:21 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Originally found at: https://bugzilla.novell.com/show_bug.cgi?id=770234 Marcus Meissner 2012-07-06 12:18:54 UTC found by grep. /etc/init.d/sfcb uses: LD_LIBRARY_PATH=/usr/lib:$LD_LIBRARY_PATH which is insecure if LD_LIBRARY_PATH is empty. It makes binaries use libraries from the current directory, which is a problem if e.g. a administrator starts the sfcb service from a untrusted directory. Also it uses it to set /usr/lib, a default path. Just get rid of the whole if ... as it is useless. This is now filed in Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=838160 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP91uBAAoJEBYNRVNeJnmTKW4QALklqfWzdbraJkF1nLWPGGK/ WKq7LPunaDlN+4HgwL/96zSeUkw2NeoOW6+1SNWJLLQx1u2W8hvHCAzIYoQTPGzi OI7j5146He2Zaxle44AwRQGrb59eYaX7SL2mQfGFec1zZr5MeOMvOHg8v+sXltLb /iTVR0oblgpMZ6AxE6O6m84Fbkhwv+cTjHjbYkExtDqtVORjOVMj1GbBQljXjxOt Lcw1XQEux86/n/V12Ef71O4i6QdvW6Z3tg3GlukrA0G7Igofl3mgCRki3kRaazER b5cb1r7OhDtaqIFmHukS7W3RjK+mX0A/dcDSUqJ2CfhsKyGm+gAyNtwLixoiFpoY oAbkqY3tXOV6SkXEikayTB34M+2GSv/k3iVnAK8DQ2HLSj+5iWaXZK/R43f0E6bj 1TmlQKqu0GI/3LwwvWUROF0NI+Gwp87yLJfFnyy7OW2amQrYpY50dCuZzMyDMOT6 pBUEsZFuFTkOqzrOCVTRk18GTBW+233CgGFbc33VXdNxyJv+EY32Wl0kb15fag6L 4DfsKUZToa4exOHncFiRfNKWBpleBPQd/mBPXHrI+PGhiVkCqPpNmSEXl4gr9Yz2 lK90vBGU2Pn6PkkRyBC0Ov8Z2o0RiCcnwveUxLQy8kfTApw4GBaHkfO0kIlVr8Tm uYTMZWbteB7c6Sy8tkOS =fr9l -----END PGP SIGNATURE-----
Current thread:
- CVE Request: sblim-sfcb: insecure LD_LIBRARY_PATH usage Kurt Seifried (Jul 06)
- Re: CVE Request: sblim-sfcb: insecure LD_LIBRARY_PATH usage Kurt Seifried (Jul 06)