McAfee Unhappy with Gentoo Security
Friday, 15. December 2006, 04:43:51
One of our developers noticed that a package in portage was failing a QA test, so they started working on removing it from the tree (due to license restrictions we cannot fix it). Although the developer who found it didnt realise it at the time, it turns out that the bug in question was a serious security problem.
The binary package (McAfee VirusScan for Linux) had set an DT_RPATH containing the working directory, this means that the program will search there for shared libraries, which is obviously a bad idea and means that if you invoke virusscan from the same working directory where the untrusted file you're trying to scan is, virusscan might actually execute it for you (this also applies to automated systems, such as mail scanners).
As the bug was already public (on gentoo-dev mailing list and on our publically accessible bugzilla), as soon as I realised it was a security issue we emailed McAfee to explain the problem and organised sending out an advisory as quickly as possible.
Well it turns out McAfee werent too happy with this and publically flamed us for not being proffessional or "responsible" and putting users in danger. Of course they're not responsible for selling flawed software, it's all our fault for finding the problem and informing them and our users about it.
They also completely failed to understand the nature of the bug (they say, "as the privilege of the executed code is not raised from the privileges of the executing user"...which makes no sense, and also "an attacker would have had to compromise the machine through another mechanism in order to place the malicious library on the system", which is just plain dumb.) but at least they acknowledged theres a problem.
The binary package (McAfee VirusScan for Linux) had set an DT_RPATH containing the working directory, this means that the program will search there for shared libraries, which is obviously a bad idea and means that if you invoke virusscan from the same working directory where the untrusted file you're trying to scan is, virusscan might actually execute it for you (this also applies to automated systems, such as mail scanners).
As the bug was already public (on gentoo-dev mailing list and on our publically accessible bugzilla), as soon as I realised it was a security issue we emailed McAfee to explain the problem and organised sending out an advisory as quickly as possible.
Well it turns out McAfee werent too happy with this and publically flamed us for not being proffessional or "responsible" and putting users in danger. Of course they're not responsible for selling flawed software, it's all our fault for finding the problem and informing them and our users about it.
They also completely failed to understand the nature of the bug (they say, "as the privilege of the executed code is not raised from the privileges of the executing user"...which makes no sense, and also "an attacker would have had to compromise the machine through another mechanism in order to place the malicious library on the system", which is just plain dumb.) but at least they acknowledged theres a problem.