REDHAT-BUG-641224

First published: Fri Oct 08 2010(Updated: )

Dmitri Gribenko discovered that the soffice script in the Openoffice.org package contained an insecure setting for the LD_LIBRARY_PATH, which could be abused by an attacker to execute arbitrary code. The vulnerability is due to an insecure change to LD_LIBRARY_PATH, and environment variable used by ld.so(8) to look for libraries in directories other than the standard paths. When there is an empty item in the colon-separated list of directories in LD_LIBRARY_PATH, ld.so(8) treats it as a '.' (current working directory). If the given script is executed from a directory where a local attacker could write files, there is a chance for exploitation. Currently in our soffice script we do... LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH} while we should do... LD_LIBRARY_PATH=$my_path${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} so if someone currently does export LD_LIBRARY_PATH= then our LD_LIBRARY_PATH ends up as LD_LIBRARY_PATH=/path: which has an empty entry which effectively means LD_LIBRARY_PATH=/path:. Acknowledgements: Red Hat would like to thank Dmitri Gribenko for reporting this issue.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-bugzilla
• alias/CVE-2010-3689
• agent/type
• agent/references
• agent/first-publish-date
• agent/last-modified-date
• agent/severity
• agent/description
• agent/event
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/apache
• canonical/apache openoffice