Saturday, February 11, 2012

CVE-2010-4000 and gnome-shell

You can view a description of the issue here. From this we can understand that the error is in the exporting of the LD_LIBRARY_PATH. Get the source, try to locate the vuln quickly.



$ egrep -r "LD_LIBRARY_PATH" *
aclocal.m4:      printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
aclocal.m4:        printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
aclocal.m4:          echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
aclocal.m4:          echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH" ],
...
...
...
src/gnome-shell.in:            env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir

Lets have a better look at src/gnome-shell.in.

232     pkgconfig = subprocess.Popen(['pkg-config', '--variable=sdkdir', 'mozilla-js'],
233                                  stdout=subprocess.PIPE)
234     mozjs_sdkdir = pkgconfig.communicate()[0].strip()
235     pkgconfig.wait()
236     if pkgconfig.returncode == 0:
237         mozjs_libdir = re.sub('-(sdk|devel)', '', mozjs_sdkdir)
238         if os.path.exists(mozjs_libdir + '/libmozjs.so'):
239             env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir

Ok, so we have the return code check in line 236 so 233, 234 could not be the cause of the vulnerability. The regex just removes every occurrence of "-sdk" or "-devel". However, if LD_LIBRARY_PATH were not defined we would have something like :-

>>> import os
>>> env = {}
>>> env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'mozjs_libdir' is not defined
>>> mozjs_libdir = "/tmp/ladedaa"
>>> env['LD_LIBRARY_PATH'] = os.environ.get('LD_LIBRARY_PATH', '') + ':' + mozjs_libdir
>>> env
{'LD_LIBRARY_PATH': ':/tmp/ladedaa'}

The proper fix for this would be to check if there is an LD_LIBRARY_PATH and then set a new value.


You can view the Lauchpad bug/discussion here.

No comments:

Post a Comment