Debian Bug report logs -
#451548
CVE-2005-4791: Insecure LD_LIBRARY_PATH in liferea
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Fri, 16 Nov 2007 20:00:01 UTC
Severity: important
Tags: security
Found in version liferea/1.0.27-2
Fixed in version liferea/1.4.9-1
Done: Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Franz Pletz <fpletz@franz-pletz.org>:
Bug#451548; Package liferea.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Franz Pletz <fpletz@franz-pletz.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: liferea
Version: 1.0.27-2
Severity: important
Tags: security
Liferea 1.4.6-1 sets
LD_LIBRARY_PATH=/usr/lib/xulrunner:$LD_LIBRARY_PATH
in its start script. If LD_LIBRARY_PATH is empty, this will result in
LD_LIBRARY_PATH=/usr/lib/xulrunner:
which is equivalent to
LD_LIBRARY_PATH=/usr/lib/xulrunner:.
This means the current working directory is searched for libraries before /lib
and /usr/lib, which is of course a security problem.
Liferea 1.0.27-2 uses
LD_LIBRARY_PATH=:$LD_LIBRARY_PATH
which is even insecure if LD_LIBRARY_PATH was set.
Instead of ":$LD_LIBRARY_PATH" use
"${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}", which expands to nothing (not
even a colon) if LD_LIBRARY_PATH is empty.
Please mention the CVE id in the changelog.
Information forwarded to debian-bugs-dist@lists.debian.org, Franz Pletz <fpletz@franz-pletz.org>:
Bug#451548; Package liferea.
(full text, mbox, link).
Acknowledgement sent to "Lars Lindner" <lars.lindner@gmail.com>:
Extra info received and forwarded to list. Copy sent to Franz Pletz <fpletz@franz-pletz.org>.
(full text, mbox, link).
Message #10 received at 451548@bugs.debian.org (full text, mbox, reply):
On Nov 16, 2007 8:57 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
> Package: liferea
> Version: 1.0.27-2
> Severity: important
> Tags: security
>
> Liferea 1.4.6-1 sets
>
> LD_LIBRARY_PATH=/usr/lib/xulrunner:$LD_LIBRARY_PATH
>
> in its start script. If LD_LIBRARY_PATH is empty, this will result in
>
> LD_LIBRARY_PATH=/usr/lib/xulrunner:
>
> which is equivalent to
>
> LD_LIBRARY_PATH=/usr/lib/xulrunner:.
>
> This means the current working directory is searched for libraries before /lib
> and /usr/lib, which is of course a security problem.
>
> Liferea 1.0.27-2 uses
>
> LD_LIBRARY_PATH=:$LD_LIBRARY_PATH
>
> which is even insecure if LD_LIBRARY_PATH was set.
>
> Instead of ":$LD_LIBRARY_PATH" use
> "${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}", which expands to nothing (not
> even a colon) if LD_LIBRARY_PATH is empty.
>
> Please mention the CVE id in the changelog.
Upstream I implemented the following solution:
Index: src/liferea.in
===================================================================
--- src/liferea.in (Revision 3546)
+++ src/liferea.in (Arbeitskopie)
@@ -14,8 +14,18 @@
params="$@"
-LD_LIBRARY_PATH=@MOZILLA_LIB_ROOT@:$LD_LIBRARY_PATH
-export LD_LIBRARY_PATH
+#
+# If we run with Gecko or XulRunner we need to set
+# LD_LIBRARY_PATH (WebKit and GtkHTML do not need this).
+#
+if [ "@MOZILLA_LIB_ROOT@" != "" ]; then
+ if [ "$LD_LIBRARY_PATH" = ""]; then
+ LD_LIBRARY_PATH=@MOZILLA_LIB_ROOT@
+ else
+ LD_LIBRARY_PATH=@MOZILLA_LIB_ROOT@:$LD_LIBRARY_PATH
+ fi
+ export LD_LIBRARY_PATH
+fi
if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
eval `dbus-launch`
Do you think this is sufficient?
Best Regards,
Lars
Information forwarded to debian-bugs-dist@lists.debian.org, Franz Pletz <fpletz@franz-pletz.org>:
Bug#451548; Package liferea.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Franz Pletz <fpletz@franz-pletz.org>.
(full text, mbox, link).
Message #15 received at 451548@bugs.debian.org (full text, mbox, reply):
On Friday 16 November 2007, Lars Lindner wrote:
> -LD_LIBRARY_PATH=@MOZILLA_LIB_ROOT@:$LD_LIBRARY_PATH
> -export LD_LIBRARY_PATH
> +#
> +# If we run with Gecko or XulRunner we need to set
> +# LD_LIBRARY_PATH (WebKit and GtkHTML do not need this).
> +#
> +if [ "@MOZILLA_LIB_ROOT@" != "" ]; then
> + if [ "$LD_LIBRARY_PATH" = ""]; then
> + LD_LIBRARY_PATH=@MOZILLA_LIB_ROOT@
> + else
> + LD_LIBRARY_PATH=@MOZILLA_LIB_ROOT@:$LD_LIBRARY_PATH
> + fi
> + export LD_LIBRARY_PATH
> +fi
>
> if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
> eval `dbus-launch`
>
>
>
> Do you think this is sufficient?
Yes, I think that's fine.
Cheers,
Stefan
Information forwarded to debian-bugs-dist@lists.debian.org, Franz Pletz <fpletz@franz-pletz.org>:
Bug#451548; Package liferea.
(full text, mbox, link).
Acknowledgement sent to Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>:
Extra info received and forwarded to list. Copy sent to Franz Pletz <fpletz@franz-pletz.org>.
(full text, mbox, link).
Message #20 received at 451548@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Nov 16, 2007 at 09:39:36PM +0100, Lars Lindner wrote:
> On Nov 16, 2007 8:57 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
> > Liferea 1.4.6-1 sets
> >
> > LD_LIBRARY_PATH=/usr/lib/xulrunner:$LD_LIBRARY_PATH
> >
> > in its start script.
Given that, in Debian, we do not even need to set LD_LIBRARY_PATH for
liferea to work, I'll be using Lars' patch for an upload to unstable,
but will simply remove the ofending lines from the wrapper script for
the updated packages for sarge and testing.
--
Rodrigo Gallardo
GPG-Fingerprint: 7C81 E60C 442E 8FBC D975 2F49 0199 8318 ADC9 BC28
[signature.asc (application/pgp-signature, inline)]
Tags added: pending
Request was from Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
to control@bugs.debian.org.
(Sat, 17 Nov 2007 00:27:01 GMT) (full text, mbox, link).
Reply sent to Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 451548-close@bugs.debian.org (full text, mbox, reply):
Source: liferea
Source-Version: 1.4.9-1
We believe that the bug you reported is fixed in the latest version of
liferea, which is due to be installed in the Debian FTP archive:
liferea-dbg_1.4.9-1_i386.deb
to pool/main/l/liferea/liferea-dbg_1.4.9-1_i386.deb
liferea-webkit_1.4.9-1_i386.deb
to pool/main/l/liferea/liferea-webkit_1.4.9-1_i386.deb
liferea-xulrunner_1.4.9-1_all.deb
to pool/main/l/liferea/liferea-xulrunner_1.4.9-1_all.deb
liferea_1.4.9-1.diff.gz
to pool/main/l/liferea/liferea_1.4.9-1.diff.gz
liferea_1.4.9-1.dsc
to pool/main/l/liferea/liferea_1.4.9-1.dsc
liferea_1.4.9-1_i386.deb
to pool/main/l/liferea/liferea_1.4.9-1_i386.deb
liferea_1.4.9.orig.tar.gz
to pool/main/l/liferea/liferea_1.4.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 451548@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com> (supplier of updated liferea package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 01 Dec 2007 20:16:06 -0600
Source: liferea
Binary: liferea-webkit liferea-dbg liferea-xulrunner liferea
Architecture: source all i386
Version: 1.4.9-1
Distribution: unstable
Urgency: low
Maintainer: Franz Pletz <fpletz@franz-pletz.org>
Changed-By: Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
Description:
liferea - feed aggregator for GNOME
liferea-dbg - liferea debug symbols
liferea-webkit - webkit rendering engine for liferea
liferea-xulrunner - transitional dummy package
Closes: 444888 451548 453521
Changes:
liferea (1.4.9-1) unstable; urgency=low
.
* New upstream releases.
[1.4.7] - Fixed catalan translation (Closes: #444888).
[1.4.8] - Fix insecure setting of LD_LIBRARY_PATH (CVE-2005-4791)
(Closes: #451548).
[1.4.9] - Fixes broken negative search folders rules (Closes: #453521).
- Various other bug fixes not reported in Debian, see upstream changelog.
* Set Dm-Upload-Allowed: yes in debian/control.
Files:
a9ad7b835d65a729bb0cc41c12f2bcc9 1156 gnome optional liferea_1.4.9-1.dsc
701d363ec60c921b32d9322d4f70d713 1587275 gnome optional liferea_1.4.9.orig.tar.gz
53ed209ec0e839c2570837885b547cc9 12934 gnome optional liferea_1.4.9-1.diff.gz
6169384b2b491e8038d36ee44e805144 983526 gnome optional liferea_1.4.9-1_i386.deb
b7ccf9734a2233f693425161fc191eba 608460 gnome optional liferea-dbg_1.4.9-1_i386.deb
f27083dd2b24a713d6ded94e85532e1d 21480 gnome optional liferea-webkit_1.4.9-1_i386.deb
4611ffa92a4c132cc979013c766de8d9 17312 gnome optional liferea-xulrunner_1.4.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHVI3+QUuEI2/szeARAqOqAJ0XmOyP1JOdcSJVbJMzJ4gLnXl0pgCfQusa
lPqwtGdtiR5w+O+l8mUBofU=
=Rbw1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 10 May 2008 07:45:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:45:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon