======
A remote attacker could entice a user to open a specially crafted ISO
image in the cd-info and iso-info applications, resulting in the
execution of arbitrary code with the privileges of the user running the
application. Applications linking against shared libraries of libcdio
are not affected.
Workaround
==========
OK, uses shared libs, right:
-rwsr-s--x 1 oracle dba 145M Aug 31 16:42 oracle
An almost 150 Megabyte sized executable program, using shared libraries. Actually it has 17 shared library dependencies. The other shared libraries provided by Oracle, which are actually linked dynamically by other executables shipped with Oracle 11g, were statically linked into the oracle executable at compile time. We are talking libraries of 30 Megabytes and more linked in as well as sitting next to the binary, just in case.
The first approach of the analysis was to narrow down the relevant cryptographic algorithm and its implementation. Therefore, different techniques were used to find relevant methods and instructions within the executable. Most cryptographic algorithms like ciphers and checksum calculations expose some kind of "signature" or individual tokens like S-Boxes, transformation tables or constant values. Thus it might be easy to detect automatically within the binary, using tools like the FindCrypt IDA plugin or other scripts we developed for our own purposes.
At least 57 places with crypto were found by FindCrypt: DES, MD4, MD5, SHA1, just to name a few. We found at least two independently implemented AES cipher constants, all algorithms were double and triple implemented.
Problem Description:
A flaw in how tomboy handles LD_LIBRARY_PATH was discovered where by
appending paths to LD_LIBRARY_PATH the program would also search the
current directory for shared libraries. In directories containing
network data, those libraries could be injected into the application.
The updated packages have been patched to correct this issue.
_______________________________________________________________________
imagine legitimate use cases for this functionality, so the glibc developers
provide an exception to this rule.
LD_PRELOAD
A whitespace-separated list of additional, user-specified, ELF
shared libraries to be loaded before all others. This can be
used to selectively override functions in other shared
libraries. For set-user-ID/set-group-ID ELF binaries, only
libraries in the standard search directories that are also set-
user-ID will be loaded.
}
(gdb) r
Starting program: /Volumes/ARC/299
Reading symbols for shared libraries ++. done
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000
0x002271ac in __diff_D2A ()
current process and its children. The chroot(2) system call is widely
used in many applications as a measure of limiting a process's access to
the file system, as part of implementing privilege separation.
The nsdispatch(3) API implementation has a feature to reload its
configuration on demand. This feature may also load shared libraries
and run code provided by the library when requested by the configuration
file.
II. Problem Description
