Vulnerability in bundled libltdl

[GoogleCodeExporter]

Gentoo has recently removed the ebuild for naim because naim bundles its
own libltdl instead of using the system-installed libltdl.
http://bugs.gentoo.org/show_bug.cgi?id=297649

This is because older versions of libltdl were found to be vulnerable to
the following:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736

As such, libltdl should be unbundled and naim should be made to depend on
the system's installed libltdl instead.

Original issue reported on code.google.com by thewet...@gmail.com on 16 Apr 2010 at 5:19

[GoogleCodeExporter]

The progress made in the original Gentoo bug report includes a patch to remove 
the
bundled libltdl and use the system ltdl. However, some underquoted sections in 
the
libfiretalk/firetalk.m4 script resulted in errors during configure. Applying 
both of
the following patches will remove references to the bundled libltdl. It is 
necessary
to run autoreconf after applying the patches to rebuild the configure script.

However, naim will still not build due to changes in the libltdl API.

Original comment by thewet...@gmail.com on 16 Apr 2010 at 5:25

Attachments:

• naim-0.11.8.3.2-system_libltdl.patch
• naim-0.11.8.3.2-underquoted_m4.patch

[GoogleCodeExporter]

lt_dlopen is only called for user-initiated actions (/modload and /dlsym), and 
naim 
chdirs into the user's home directory during startup (and remains there 
throughout 
execution). No impact.

Original comment by nml...@gmail.com on 16 Apr 2010 at 5:34

• Changed state: WontFix
• Added labels: Security

[GoogleCodeExporter]

Further, naim should *not* be running suid...

I suspect that it may be worth it to transition to a system libltdl anyway, 
though.  Is there a reason we still use a 
local libltdl, Dan?

Original comment by joshua.a...@gmail.com on 16 Apr 2010 at 7:38

[GoogleCodeExporter]

libltdl replaced:
lt_dlhandle_next(lt_dlhandle mod)
with:
lt_dlhandle_iterate(lt_dlinterface_id iface, lt_dlhandle mod)

And removed lt_dlforeach.

I moved the module system initialization code from main.c to conio.c to call
lt_dlinit and lt_dlinterface_register. With lt_dlinterface_register, I also 
included
a filter that requires modules to have naim_init and naim_exit functions; 
otherwise,
a module called 'dlopen' appears in /modlist.

And I replaced the aforementioned removed functions with (hopefully) their 
functional
equivalents.

Original comment by thewet...@gmail.com on 16 Apr 2010 at 7:50

Attachments:

• naim-0.11.8.3.2-libltdl_api.patch

[GoogleCodeExporter]

Among other issues, this thread seems to indicate ltdl has broken backwards 
compatibility, so we'd have to include build-time conditional logic. I don't 
see any 
compelling reason for such an invasive change in such a minor component of the 
program.

(And the threat wasn't necessarily for people running naim suid--obviously that 
could cause all sorts of issues--but if an attacker could get you to run naim 
from a 
directory they controlled, and naim tried to open a system library by name 
instead 
of path, ltdl would load the attacker's library instead of the system library.)

Original comment by nml...@gmail.com on 16 Apr 2010 at 8:07

[GoogleCodeExporter]

Because it is a huge pain to maintain naim on a system with a new libtool 
without this (in particular, you can't build with the old libtool on OS X 
Lion), I'm integrating this as I push forward.  Thanks for the patch -- and 
tell whoever made that compat break in libtool that they can perish in a 
conflagration.

Original comment by joshua.a...@gmail.com on 25 Jul 2011 at 8:53

• Changed state: Started
• Added labels: libtool-can-suck-my-nuts

[GoogleCodeExporter]

This has been integrated into the latest snapshot.

Original comment by joshua.a...@gmail.com on 10 Sep 2011 at 11:25

• Changed state: Fixed