Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245317 (CVE-2008-4865) - dev-util/valgrind <3.4.0 untrusted search path vulnerability (CVE-2008-4865)
Summary: dev-util/valgrind <3.4.0 untrusted search path vulnerability (CVE-2008-4865)
Alias: CVE-2008-4865
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2008-11-02 20:03 UTC by Stefan Behte (RETIRED)
Modified: 2009-02-12 21:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch for valgrind SVN HEAD (valgrind-svn-CVE-2008-4865.patch,1.96 KB, patch)
2008-11-03 19:38 UTC, Maurice van der Pot (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 20:03:12 UTC
CVE-2008-4865 (
  Untrusted search path vulnerability in valgrind allows local users to
  execute arbitrary programs via a Trojan horse .valgrindrc file in the
  current working directory, as demonstrated using a malicious
  --db-command options.  NOTE: the severity of this issue has been
  disputed, but CVE is including this issue because execution of a
  program from an untrusted directory is a common scenario.
Comment 1 Maurice van der Pot (RETIRED) gentoo-dev 2008-11-03 19:38:20 UTC
Created attachment 170644 [details, diff]
Patch for valgrind SVN HEAD

This is the same solution as given by solar for gdb in bug #88398.

It applies to valgrind SVN HEAD, but not to valgrind 3.3.1. Valgrind 3.3.1 has a problem with vg_stat that has been solved in SVN and I'm not sure this patch is going to do much good on 3.3.1.

Has valgrind upstream been notified of this issue? I didn't find anything on the mailing lists or in the bug tracker.
Comment 2 Maurice van der Pot (RETIRED) gentoo-dev 2008-12-13 10:16:33 UTC
Comment 3 Matti Bickel (RETIRED) gentoo-dev 2008-12-13 13:25:21 UTC
Were waiting on upstream. Change the whiteboard to reflect this.
Comment 4 Maurice van der Pot (RETIRED) gentoo-dev 2008-12-13 13:51:52 UTC
Upstream bug report:
Comment 5 Nuno Lopes 2009-01-04 18:38:21 UTC
valgrind 3.4 was released yesterday and it fixes this problem.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-01-05 02:09:41 UTC
$ svn log -c 8798 svn://
r8798 | dirk | 2008-11-22 13:03:19 +0100 (Sat, 22 Nov 2008) | 3 lines

ignore .valgrindrc files that are world writeable
or not owned by the current user (CVE-2008-4865)

Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-01-09 19:23:50 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 x86"
Comment 8 Markus Meier gentoo-dev 2009-01-10 09:22:36 UTC
there's a minor issue with this ebuild, apart from that it looks good on amd64/x86:
configure: WARNING: unrecognized options: --with-x
Comment 9 Maurice van der Pot (RETIRED) gentoo-dev 2009-01-10 16:41:35 UTC
It's a harmless warning. The previously optional suppression files for X are now always included, so the X use flag will be removed as was the --with-x option to configure.

I'll fix that in a next version to not interfere with testing for stabilization.
Comment 10 Markus Meier gentoo-dev 2009-01-10 16:44:50 UTC
amd64/x86 stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-01-12 15:50:33 UTC
ppc64 done
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-13 17:23:59 UTC
ppc stable, ready for glsa-voting
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:33:12 UTC
Why is this B4? It should be B1.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 21:12:32 UTC
GLSA 200902-03