CVE request for proxychains-ng : current path as the first directory for the library search path

[Mamoru TASAKA<mtasaka () fedoraproject org>]

Dear All:

Here I submit a CVE request for proxychains-ng as it is requested as
below.

Sincerely yours,
Mamoru TASAKA <mtasaka () fedoraproject org>


------- Forwarded Message
Date :Mon, 11 May 2015 23:49:57 -0600
> From :kseifried () redhat com
Subject :Re: bug 1147013 : current path as the first directory for the library search path

----
On 05/11/2015 11:27 PM, Mamoru TASAKA wrote:
> Dear security responsible team:
>
> Please correct me if it is not suitable to contact you for the below case.
> I am currently reviewing new package's "Review Request" for
> proxychains-ng as
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1147013
>
> Source available as
> https://github.com/rofl0r/proxychains-ng
>
> Rebuilt proxychains-ng binary.rpm contains proxychains4,
> which firstly sets LD_PRELOAD to dlopen libproxychains4.so
> (contained in the same binary rpm) and execvp() the arbitrary
> command user has specified.
>
> Looking at the code, this program (proxychains4) sets the current
> directory as the first path to search libproxychains4.so. ref:
>
> https://github.com/rofl0r/proxychains-ng/blob/master/src/main.c#L35
>
> I would appreciate it if you would answer to me if this
> is permitted from the viewpoint of security.
>
> Sincerely yours,
> Mamoru TASAKA 

This is def a security flaw, similar to CVE-2009-0415 for example. Can
you please post a copy of this to oss-security () lists openwall com
requesting a CVE # for this vulnerability? Also please use
secalert () redhat com in future, it has a response SLA, this email address
does not. Thanks!


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: