On Tue, Sep 28, 2010 at 04:21:09AM +0000, Raphael Geissert wrote: Hi!
> During a review of the Debian archive, I've found your package to > contain a script that can be abused by an attacker to execute arbitrary > code. > /usr/bin/ardour2 line 5: > export LD_LIBRARY_PATH=/usr/lib/ardour2:$LD_LIBRARY_PATH Can you elaborate on this or give a link with a more detailed explanation? LD_LIBRARY_PATH is a well-known feature, and every binary can, by design, be run with libraries from different paths, including CWD, if the user sets LD_LIBRARY_PATH appropriately. I don't see how importing LD_LIBRARY_PATH in a script is any different from running an arbitrary binary (also with LD_LIBRARY_PATH being set). According to your logic, every dynamically linked binary would be vulnerable. In other words, I don't see a security issue at all. If the user deliberately sets LD_LIBRARY_PATH, it's his ultimate responsibility. LD_LIBRARY_PATH is just a more cumbersome way of running completely different code. I might miss something, but unless you rely on RPATH, you could file this kind of bug against almost every package. And given that LD_LIBRARY_PATH is a valid use case, we somehow need to pass it to the binary. I don't see that manually filtering LD_LIBRARY_PATH is any good. The user sets it, the user gets it. Please feel free to correct my understanding of the "issue" at hand. Cheerio -- mail: a...@thur.de http://adi.thur.de PGP/GPG: key via keyserver -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
