Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 352213 (CVE-2010-3389)

Summary: <sys-cluster/rgmanager-2.03.09-r1: insecure library loading (CVE-2010-3389)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cluster, tomka
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=639044
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 352335    
Bug Blocks:    
Attachments:
Description Flags
build.log with failures
none
build.log none

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-20 08:42:42 UTC
Not sure if it affects Gentoo:

Raphael Geissert conducted a review of various packages in Debian and found
that cluster-agents contained a script that could be abused by an attacker to
execute arbitrary code [1].

The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and
environment variable used by ld.so(8) to look for libraries in directories
other than the standard paths.  When there is an empty item in the
colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a
'.' (current working directory).  If the given script is executed from a
directory where a local attacker could write files, there is a chance for
exploitation.

In Fedora, resource-agents contains rgmanager, which has the same scripts as
Debian's cluster-agents.  /usr/share/cluster/SAPDatabase and
/usr/share/cluster/SAPInstance both re-set LD_LIBRARY_PATH insecurely:

# as root user we need the library path to the SAP kernel to be able to call
executables
if [ `echo $LD_LIBRARY_PATH | grep -c "^$DIR_EXECUTABLE\>"` -eq 0 ]; then 
  LD_LIBRARY_PATH=$DIR_EXECUTABLE:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
fi

A solution is to patch the scripts to properly set $LD_LIBRARY_PATH:

export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}

This issue has been assigned the name CVE-2010-3389.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598549
Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-20 09:14:14 UTC
+*rgmanager-2.03.09-r1 (20 Jan 2011)
+
+  20 Jan 2011; Kacper Kowalik <xarthisius@gentoo.org>
+  +rgmanager-2.03.09-r1.ebuild, +files/rgmanager-2.03.09-CVE-2010-3389.patch:
+  Bump to EAPI2, respect multilib paths, remove obsolete bits fixing man
+  chmods, apply security patch wrt #352213, general cleanup
+
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-20 09:23:33 UTC
Thank you for quick reaction. Arches, please stabilize =sys-cluster/rgmanager-2.03.09-r1
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-20 11:06:41 UTC
dlm-lib-2.03.09 fails with bug 305463, but .11 produces the following failure:

 (sys-cluster/dlm-lib-2.03.11, ebuild scheduled for merge) pulled in by
    =sys-cluster/dlm-lib-2.03.11

  (sys-cluster/dlm-lib-2.03.09, ebuild scheduled for merge) pulled in by
    =sys-cluster/dlm-lib-2.03.09* required by (sys-cluster/rgmanager-2.03.09-r1, ebuild scheduled for merge)
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-20 18:44:08 UTC
(In reply to comment #3)
> dlm-lib-2.03.09 fails with bug 305463, but .11 produces the following failure:
This will be gone with any linux-headers >= 2.6.30-r1. Added dep on bug 352059 since stabilization of linux-headers-2.6.36.1 is requested there.

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-08 09:18:53 UTC
Just in case, there is an upstream patch: http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec . Anyway, we have a local patch which is only slightly different.

I've updated the bug dependency, since we're waiting not for asterisk but for linux-headers.
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2011-02-15 19:37:11 UTC
Created attachment 262647 [details]
build.log with failures

(In reply to comment #5)
> Just in case, there is an upstream patch:
> http://git.fedorahosted.org/git/?p=resource-agents.git;a=commitdiff;h=394c23c8f9e1e0fb934ba994e2e5a786467d6bec
> . Anyway, we have a local patch which is only slightly different.
> 
> I've updated the bug dependency, since we're waiting not for asterisk but for
> linux-headers.

Ok, linux-headers are through on x86, but this one fails to build.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-03-08 10:32:29 UTC
Moreover, the program fails to pass the multilib test because it installs the libraries to plain /usr/lib instead of /usr/lib64 folder
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2011-03-24 13:36:18 UTC
fixed multilib for cman-lib and dlm-lib -> amd64 stable
Comment 9 David Abbott gentoo-dev 2011-03-25 22:51:16 UTC
=sys-cluster/rgmanager-2.03.09-r1 tested on x86, all good here ...
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-27 11:00:10 UTC
Created attachment 267377 [details]
build.log

I think it fails in the same way as for Thomas.


Portage 2.1.9.42 (default/linux/x86/10.0/developer, gcc-4.4.5, glibc-2.11.3-r0, 2.6.36-gentoo-r5 i686)
=================================================================
System uname: Linux-2.6.36-gentoo-r5-i686-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-1.12.14
Timestamp of tree: Sun, 27 Mar 2011 10:30:01 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.6.6-r2, 3.1.3-r1
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.5
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs collision-protect digest distlocks fixlafiles fixpackages multilib-strict news parallel-fetch protect-owned sandbox sfperms sign splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa berkdb bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus device-mapper dri dts dvd dvdr emacs emboss encode exif fam firefox flac fortran gdbm gdu gif gnutls gtk iconv icu jpeg lcms libnotify mad mbox mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly nss ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd python qt3support readline sdl secure-delete session snmp spell sqlite ssl startup-notification subversion svg sysfs tcb tcpd tiff toolkit-scroll-bars truetype udev unicode usb vorbis x264 x86 xcb xft xinerama xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ens1371" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard vmmouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vmware vesa vga" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 11 Andreas Schürch gentoo-dev 2011-03-28 05:44:36 UTC
(In reply to comment #10)
> Created attachment 267377 [details]
> build.log
> 
> I think it fails in the same way as for Thomas.
I get exactly the same on my x86 box.
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2011-04-17 08:38:35 UTC
@cluster: Any news here?  Feels bad for us at x86 to leave the security bug open for so long, but there seem to be some regressions?
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-15 16:26:41 UTC
Maintainers, please provide an ebuild that works on x86 (see failure logs attached to this bug).
Comment 14 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-15 18:51:05 UTC
15 May 2011; Kacper Kowalik <xarthisius@gentoo.org> rgmanager-2.03.09-r1.ebuild:
Update dependecies as it fails to build with dev-libs/libxml2[icu] (bug 352213) Remove -Werror

Please try again
Comment 15 Andreas Schürch gentoo-dev 2011-05-16 09:10:04 UTC
sys-cluster/rgmanager-2.03.09-r1 looks now good here on x86.
It would be a good thing if the package could provide an example cluster.conf, or if at least the init script wouldn't just exit if none is present!
Comment 16 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-16 09:14:10 UTC
(In reply to comment #15)
> It would be a good thing if the package could provide an example cluster.conf,
> or if at least the init script wouldn't just exit if none is present!

That's something you should note in a new bug.
Comment 17 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-17 07:53:04 UTC
x86 stable, thanks everyone!
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2011-05-18 01:45:13 UTC
Thanks, folks. GLSA Vote: yes.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:19:16 UTC
CVE-2010-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389):
  The (1) SAPDatabase and (2) SAPInstance scripts in OCF Resource Agents (aka
  resource-agents or cluster-agents) 1.0.3 in Linux-HA place a zero-length
  directory name in the LD_LIBRARY_PATH, which allows local users to gain
  privileges via a Trojan horse shared library in the current working
  directory.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 19:33:16 UTC
CVE-2010-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389):
  The (1) SAPDatabase and (2) SAPInstance scripts in OCF Resource Agents (aka
  resource-agents or cluster-agents) 1.0.3 in Linux-HA place a zero-length
  directory name in the LD_LIBRARY_PATH, which allows local users to gain
  privileges via a Trojan horse shared library in the current working
  directory.
Comment 21 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:41:23 UTC
Vote: YES. New GLSA request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 16:35:50 UTC
This issue was resolved and addressed in
 GLSA 201110-18 at http://security.gentoo.org/glsa/glsa-201110-18.xml
by GLSA coordinator Tobias Heinlein (keytoaster).