Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 341569 (CVE-2010-3357)

Summary: media-video/gnome-subtitles: Insecure Library Loading Vulnerability (CVE-2010-3357)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mail, media-video, proxy-maint
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.gnome.org/browse/gnome-subtitles/commit/?id=44370dc2a87f7fa0d6c9730979514bd407a37c65
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2010-10-18 02:50:00 UTC 
From the original Debian bug at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598289: 

During a review of the Debian archive, I've found your package to
contain a script that can be abused by an attacker to execute arbitrary
code.

The vulnerability is introduced by an insecure change to
LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for
libraries on a directory other than the standard paths.

Vulnerable code follows:

/usr/bin/gnome-subtitles line 9:
export LD_LIBRARY_PATH="$libdir/gnome-subtitles:$LD_LIBRARY_PATH"

When there's an empty item on the colon-separated list of
LD_LIBRARY_PATH, ld.so treats it as '.' (i.e. CWD/$PWD.)
If the given script is executed from a directory where a potential,
local, attacker can write files to, there's a chance to exploit this
bug.

This vulnerability has been assigned the CVE id CVE-2010-3357. Please make sure
you mention it when forwarding this report to upstream and when fixing
this bug (everywhere: upstream and here at Debian.)

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3357
[1] http://security-tracker.debian.org/tracker/CVE-2010-3357
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:19:26 UTC 
CVE-2010-3357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3357):
  gnome-subtitles 1.0 places a zero-length directory name in the
  LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan
  horse shared library in the current working directory.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-17 00:07:17 UTC 
gnome-subtitles-1.1 and 1.2 are in tree and NVD indicates that only 1.0 is affected. Ancient bug, closing noglsa.