Fedora Core 5 ships the libtool-ltdl library which is used to load dynamic modules. It is compiled to search for libraries using relative paths which may make it possible for an attacker to load arbitrary libraries into the program
afe99ea514e981aa99d99af57ca16247f29a11d4b17257e65a3b46920ad2fa20Hello,
Fedora Core 5 ships the libtool-ltdl library which is used to load
dynamic modules. This package seems to be built with some strange setup
causing a search path of
| $ strings /usr/lib/libltdl.so
| /lib:/usr/lib:hwcap:0:nosegneg:/usr/lib/mysql:/usr/lib/mysql:/usr/lib/mysql:/usr/lib/qt-3.3/lib
Effect is, that dynamic libraries are searched in three relative paths
('hwcap', '0' and 'nosegneg') and loaded from there:
| $ echo 'int main() { lt_dlinit(); lt_dlopenext("foo"); }' > foo.c
| $ gcc foo.c -lltdl
| # strace ./a.out
| open("/lib/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("/usr/lib/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("hwcap/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("0/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("nosegneg/foo.la", O_RDONLY) = 3
| ...
| open("/tmp/test/bin/nosegneg/foo.so", O_RDONLY) = 3
Mentioned paths are used also in /usr/bin/libtool:
| $ grep nosegneg /usr/bin/libtool
| sys_lib_dlsearch_path_spec="/lib /usr/lib hwcap 0 nosegneg /usr/lib/mysql /usr/lib/mysql /usr/lib/mysql /usr/lib/qt-3.3/lib "
but effect is unknown.
Impact:
low till medium
Affected:
Fedora Core 5 Updates (libtool-ltdl-1.5.22-2.3)
Not Affected:
Fedora Core 5 (libtool-ltdl-1.5.22-2.2)
Fedora Core Devel
Vendor was notified at 2006-10-08
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209930
Enrico
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed