Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 245317 (CVE-2008-4865)

Summary: dev-util/valgrind <3.4.0 untrusted search path vulnerability (CVE-2008-4865)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: griffon26, nunoplopes
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4865
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Patch for valgrind SVN HEAD none

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 20:03:12 UTC
CVE-2008-4865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4865):
  Untrusted search path vulnerability in valgrind allows local users to
  execute arbitrary programs via a Trojan horse .valgrindrc file in the
  current working directory, as demonstrated using a malicious
  --db-command options.  NOTE: the severity of this issue has been
  disputed, but CVE is including this issue because execution of a
  program from an untrusted directory is a common scenario.
Comment 1 Maurice van der Pot (RETIRED) gentoo-dev 2008-11-03 19:38:20 UTC
Created attachment 170644 [details, diff]
Patch for valgrind SVN HEAD

This is the same solution as given by solar for gdb in bug #88398.

It applies to valgrind SVN HEAD, but not to valgrind 3.3.1. Valgrind 3.3.1 has a problem with vg_stat that has been solved in SVN and I'm not sure this patch is going to do much good on 3.3.1.

Has valgrind upstream been notified of this issue? I didn't find anything on the mailing lists or in the bug tracker.
Comment 2 Maurice van der Pot (RETIRED) gentoo-dev 2008-12-13 10:16:33 UTC
Anyone?
Comment 3 Matti Bickel (RETIRED) gentoo-dev 2008-12-13 13:25:21 UTC
Were waiting on upstream. Change the whiteboard to reflect this.
Comment 4 Maurice van der Pot (RETIRED) gentoo-dev 2008-12-13 13:51:52 UTC
Upstream bug report:
https://bugs.kde.org/show_bug.cgi?id=177682
Comment 5 Nuno Lopes 2009-01-04 18:38:21 UTC
valgrind 3.4 was released yesterday and it fixes this problem.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-01-05 02:09:41 UTC
$ svn log -c 8798 svn://svn.valgrind.org/valgrind/trunk
------------------------------------------------------------------------
r8798 | dirk | 2008-11-22 13:03:19 +0100 (Sat, 22 Nov 2008) | 3 lines

ignore .valgrindrc files that are world writeable
or not owned by the current user (CVE-2008-4865)

------------------------------------------------------------------------
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-01-09 19:23:50 UTC
Arches, please test and mark stable:
=dev-util/valgrind-3.4.0
Target keywords : "amd64 ppc ppc64 x86"
Comment 8 Markus Meier gentoo-dev 2009-01-10 09:22:36 UTC
there's a minor issue with this ebuild, apart from that it looks good on amd64/x86:
configure: WARNING: unrecognized options: --with-x
Comment 9 Maurice van der Pot (RETIRED) gentoo-dev 2009-01-10 16:41:35 UTC
It's a harmless warning. The previously optional suppression files for X are now always included, so the X use flag will be removed as was the --with-x option to configure.

I'll fix that in a next version to not interfere with testing for stabilization.
Comment 10 Markus Meier gentoo-dev 2009-01-10 16:44:50 UTC
amd64/x86 stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-01-12 15:50:33 UTC
ppc64 done
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-13 17:23:59 UTC
ppc stable, ready for glsa-voting
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:33:12 UTC
Why is this B4? It should be B1.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 21:12:32 UTC
GLSA 200902-03