GNOME Bugzilla – Bug 637378
CVE-2010-4000 gnome-shell: insecure library loading vulnerability
Last modified: 2010-12-16 12:30:57 UTC
Hi, I'm forwarding upstream a bug that has been opened on RH bugzilla: "Ludwig Nussel discovered that gnome-shell contained a script that could be abused by an attacker to execute arbitrary code. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. In Fedora, /usr/bin/gnome-shell re-sets LD_LIBRARY_PATH insecurely: 163 if os.path.exists(mozjs_libdir + '/libmozjs.so'): 164 env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir ... 206 return subprocess.Popen(args, env=env) A solution is to patch the script to test if LD_LIBRARY_PATH is previously set: if os.environ.get('LD_LIBRARY_PATH'): env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir else: env['LD_LIBRARY_PATH'] = mozjs_libdir " Original bugreport: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4000 CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4000
this was fixed months ago *** This bug has been marked as a duplicate of bug 631004 ***