Tux Guitar

Problems

Subject Security flaw in tuxguitar (Linux)



Author Message
oget
Post: Sep 29th 2010 at 3:23 AM

Hi,
Today I got a security bug filed in Fedora bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=638396

In simple words:
When $LD_LIBRARY_PATH is empty, the line
LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib/tuxguitar/
becomes just
LD_LIBRARY_PATH=:/usr/lib/tuxguitar/

Because of the leading colon, this means that the current working directory is prepended to LD_LIBRARY_PATH. Provided he has write access, the local attacker can place a malicious library where the user is likely to execute the tuxguitar executable and then boom!

The ant .xml files need to be corrected via something like

if [ -z ${LD_LIBRARY_PATH} ]; then
export LD_LIBRARY_PATH=/usr/lib/foo
else
export LD_LIBRARY_PATH=/usr/lib/foo:${LD_LIBRARY_PATH}
fi


Back to Top
 
oget
Post: Sep 29th 2010 at 3:40 AM

I uploaded a proposed patch for the file
tuxguitar-build-fedora.xml here

http://fpaste.org/H6iR/


Back to Top
 
oget
Post: Sep 29th 2010 at 8:23 AM

An alternate one liner fix was pointed to me as

export LD_LIBRARY_PATH=/usr/lib/foo${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}


Back to Top
 
oget
Post: Oct 2nd 2010 at 1:49 AM

Here is a nicer and shorter fix

http://fpaste.org/EgLB/


Back to Top