New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug-Security
M-6

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 54132: Security: Insecure library loading in Google Chrome for Linux

Reported by adammein@google.com, Sep 1 2010 Project Member

Issue description

Received external report: #686499149. I've asked whether he has a Google account to add to the bug. Hopefully, he'll get back to me soon.

=================

I've discovered that Google Chrome as distributed for Linux uses the
LD_LIBRARY_PATH environment variable unsafely in its startup script.
The following line in /usr/bin/google-chrome sets this variable:

LD_LIBRARY_PATH="$PROGDIR:$PROGDIR/lib:$LD_LIBRARY_PATH"

Note that if LD_LIBRARY_PATH is previously unset, as will usually be
the case, this leaves a dangling ":" at the end of the variable, which
is interpreted by the linker as the current directory. Therefore, if
a user could be enticed into opening the Chrome browser from an
attacker-controlled directory, that attacker could easily load
maliciously crafted libraries in place of legitimate ones. This can
be trivially verified by placing a blank "libc.so.6" file in a
directory and attempting to launch google-chrome from there. I have
been unable to determine a remote vector for this issue.

This can easily be fixed by verifying that the LD_LIBRARY_PATH
environment variable is set before using it in a subsequent
assignment. Please keep me posted on any progress, including whether
this will be assigned a CVE identifier, etc.

=============
 

Comment 1 by adammein@google.com, Sep 1 2010

Added vulnerability reporter to CC list.

Comment 2 by chromium...@gmail.com, Sep 1 2010

Labels: -Pri-0 -Area-Undefined Pri-3 Area-Internals SecSeverity-Low OS-Linux
Status: Available

Comment 3 by infe...@chromium.org, Sep 3 2010

Labels: Mstone-6
Status: Assigned
Evan, this looks like a trivial fix. Can you please take a look.

Comment 4 by evan@chromium.org, Sep 13 2010

Sorry for the embarrassingly slow response -- I've been on vacation.  We probably need a better escalation path for this kind of thing...  CC'ing some people who know more about this script.

Comment 5 by evan@chromium.org, Sep 13 2010

Tentatively picking a better assignee, while I'm at it.

Comment 6 by mmoss@chromium.org, Sep 13 2010

Status: Fixed
Fixed in chrome-internal r9633 and added to build in r9637.

Comment 7 by infe...@chromium.org, Sep 13 2010

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
Michael, Can yu please merge to 517 branch.

Comment 8 by mmoss@chromium.org, Sep 13 2010

Status: Fixed
Merged in r9640

Comment 9 by scarybea...@gmail.com, Sep 13 2010

Status: FixUnreleased
@dan.j.rosenberg: thanks for the report! What name + optional affiliation would you like us to use when we credit you in our release notes?

Comment 10 by dan.j.ro...@gmail.com, Sep 13 2010

Chris: you can credit me as Dan Rosenberg (Virtual Security Research).  Thanks for the prompt fix!

Comment 11 by bugdro...@gmail.com, Sep 13 2010

Summary: Security: Insecure library loading in Google Chrome for Linux
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=59285

------------------------------------------------------------------------
r59285 | mmoss@google.com | Mon Sep 13 14:57:02 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/tools/build/linux/chrome-wrapper?r1=59285&r2=59284&pathrev=59285

Fix another instance of potentially dangling ":" in LD_LIBRARY_PATH.

This file is not packaged with Chrome, so not as likely to cause problems, but
cleaning it up for completeness.

BUG= 54132 

Review URL: http://codereview.chromium.org/3372010
------------------------------------------------------------------------

Comment 12 by bugdro...@gmail.com, Sep 15 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=59579

------------------------------------------------------------------------
r59579 | markus@chromium.org | Wed Sep 15 16:35:19 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/chrome/tools/build/linux/chrome-wrapper?r1=59579&r2=59578&pathrev=59579

The recent change for setting LD_LIBRARY_PATH doesn't actually work, as the
script is executed by /bin/sh. On many systems, /bin/sh does not have support
for "[[". We could either switch to a different shell (e.g. /bin/bash), we
could switch to using "[" instead, or we could avoid the entire problem by
using "${:+}" variable expansion.

I tested that the latter does the right thing with /bin/bash, /bin/ash,
/bin/dash, /bin/zsh, /bin/sh (the latter being a symbolic link to /bin/dash).
So, I think we are on the safe side.

BUG= 54132 
TEST=Start Chrome and notice that there no longer is an error message about "[[" being unavailable
Review URL: http://codereview.chromium.org/3412004
------------------------------------------------------------------------

Comment 13 by bugdro...@gmail.com, Sep 16 2010

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=59599

------------------------------------------------------------------------
r59599 | markus@chromium.org | Wed Sep 15 18:07:58 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/517/src/chrome/tools/build/linux/chrome-wrapper?r1=59599&r2=59598&pathrev=59599

Merge 59579 - The recent change for setting LD_LIBRARY_PATH doesn't actually work, as the
script is executed by /bin/sh. On many systems, /bin/sh does not have support
for "[[". We could either switch to a different shell (e.g. /bin/bash), we
could switch to using "[" instead, or we could avoid the entire problem by
using "${:+}" variable expansion.

I tested that the latter does the right thing with /bin/bash, /bin/ash,
/bin/dash, /bin/zsh, /bin/sh (the latter being a symbolic link to /bin/dash).
So, I think we are on the safe side.

BUG= 54132 
TEST=Start Chrome and notice that there no longer is an error message about "[[" being unavailable
Review URL: http://codereview.chromium.org/3412004

TBR=markus@chromium.org
Review URL: http://codereview.chromium.org/3457004
------------------------------------------------------------------------

Comment 14 by scarybea...@gmail.com, Nov 3 2010

Labels: -Restrict-View-SecurityNotify
Status: Fixed

Comment 15 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security

Comment 16 by jsc...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable
Batch update.

Comment 17 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-Internals -SecSeverity-Low -Mstone-6 -Type-Security -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable M-6 Cr-Internals Type-Bug-Security

Comment 19 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Low Security_Severity-Low

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment