[Fedora] libtool-ltdl uses relative paths to resolve and load libraries

2007-03-08 / 2007-03-09
Credit: Enrico Scholz
Risk: Low
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 6.6/10
Impact Subscore: 10/10
Exploitability Subscore: 2.7/10
Exploit range: Local
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hello, Fedora Core 5 ships the libtool-ltdl library which is used to load dynamic modules. This package seems to be built with some strange setup causing a search path of | $ strings /usr/lib/libltdl.so | /lib:/usr/lib:hwcap:0:nosegneg:/usr/lib/mysql:/usr/lib/mysql:/usr/lib/my sql:/usr/lib/qt-3.3/lib Effect is, that dynamic libraries are searched in three relative paths ('hwcap', '0' and 'nosegneg') and loaded from there: | $ echo 'int main() { lt_dlinit(); lt_dlopenext("foo"); }' > foo.c | $ gcc foo.c -lltdl | # strace ./a.out | open("/lib/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory) | open("/usr/lib/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory) | open("hwcap/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory) | open("0/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory) | open("nosegneg/foo.la", O_RDONLY) = 3 | ... | open("/tmp/test/bin/nosegneg/foo.so", O_RDONLY) = 3 Mentioned paths are used also in /usr/bin/libtool: | $ grep nosegneg /usr/bin/libtool | sys_lib_dlsearch_path_spec="/lib /usr/lib hwcap 0 nosegneg /usr/lib/mysql /usr/lib/mysql /usr/lib/mysql /usr/lib/qt-3.3/lib " but effect is unknown. Impact: low till medium Affected: Fedora Core 5 Updates (libtool-ltdl-1.5.22-2.3) Not Affected: Fedora Core 5 (libtool-ltdl-1.5.22-2.2) Fedora Core Devel Vendor was notified at 2006-10-08 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209930 Enrico -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUARSvtHTyfXseeoEz2AQoddQgAog4SntPaVUZo33YN3JNZjGuba+N5Q2+5 3GhSrR7ogFQXFAZGd5ikDuedeNzF5F/sTSRcJWaZpG/LxYhRr3P+ssKaJs7QN5hM Ge/U5asEb+875Cz99NQv3fb7TzQy/tGE+6hp7Xc3UG/iYmkMZ/idTgtZXZmUjH14 Qm9EeS4Kb0CC9OXmToFwoGV46BXKAz6FRLB5pEJYCH35HRksqtbvpXEn7XH9jYw/ qeaZcbmfj/XKIdGs68DMS38mZfU7wZpr45bfXeX0ufqqa589hJ6i5w3eUkMWecS5 YsXiwpOLzZTG140ugzHDw+ktS9oKOHlXy7NolufMzkWfXgRWe1/MVw== =27Gb -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top