Fedora Core 5 ships the libtool-ltdl library which is used to load dynamic modules. It is compiled to search for libraries using relative paths which may make it possible for an attacker to load arbitrary libraries into the program
afe99ea514e981aa99d99af57ca16247f29a11d4b17257e65a3b46920ad2fa20
Hello,
Fedora Core 5 ships the libtool-ltdl library which is used to load
dynamic modules. This package seems to be built with some strange setup
causing a search path of
| $ strings /usr/lib/libltdl.so
| /lib:/usr/lib:hwcap:0:nosegneg:/usr/lib/mysql:/usr/lib/mysql:/usr/lib/mysql:/usr/lib/qt-3.3/lib
Effect is, that dynamic libraries are searched in three relative paths
('hwcap', '0' and 'nosegneg') and loaded from there:
| $ echo 'int main() { lt_dlinit(); lt_dlopenext("foo"); }' > foo.c
| $ gcc foo.c -lltdl
| # strace ./a.out
| open("/lib/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("/usr/lib/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("hwcap/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("0/foo.la", O_RDONLY) = -1 ENOENT (No such file or directory)
| open("nosegneg/foo.la", O_RDONLY) = 3
| ...
| open("/tmp/test/bin/nosegneg/foo.so", O_RDONLY) = 3
Mentioned paths are used also in /usr/bin/libtool:
| $ grep nosegneg /usr/bin/libtool
| sys_lib_dlsearch_path_spec="/lib /usr/lib hwcap 0 nosegneg /usr/lib/mysql /usr/lib/mysql /usr/lib/mysql /usr/lib/qt-3.3/lib "
but effect is unknown.
Impact:
low till medium
Affected:
Fedora Core 5 Updates (libtool-ltdl-1.5.22-2.3)
Not Affected:
Fedora Core 5 (libtool-ltdl-1.5.22-2.2)
Fedora Core Devel
Vendor was notified at 2006-10-08
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209930
Enrico