#1138596 python3-ifcopenshell: Uncontrolled Search Path Element (CWE-427) in python3.14 wrapper

Package:
python3-ifcopenshell
Source:
python3-ifcopenshell
Description:
Library for working with Industry Foundation Classes (IFC) data
Submitter:
Jonathan Trowbridge
Date:
2026-05-31 23:23:02 UTC
Severity:
normal
Tags:
#1138596#5
Date:
2026-05-31 23:21:02 UTC
From:
To:
*Summary:*

The python3-ifcopenshell Debian package installs the Python extension
module:
/usr/lib/python3/dist-packages/ifcopenshell/_
ifcopenshell_wrapper.cpython-314-aarch64-linux-gnu.so

This library contains a RUNPATH with an empty trailing path element:

RUNPATH
[/build/reproducible-path/ifcopenshell-0.8.1+dfsg1/debian/build/3.14:/build/reproducible-path/ifcopenshell-0.8.1+dfsg1/debian/build/3.14/svgfill:]

Empty entries in an ELF RUNPATH (such as the trailing colon in this
RUNPATH) are interpreted by the dynamic linker as the current working
directory (CWD). As a result, when _
ifcopenshell_wrapper.cpython-314-aarch64-linux-gnu.so resolves its
dependencies, the dynamic linker searches the process working directory.

This permits library search path hijacking if an attacker places a
malicious shared library in the directory from which a victim executes
software that imports the ifcopenshell module using Python 3.14.

*Impact:*

An attacker can cause execution of attacker-controlled code in the security
context of the user running the affected application.

Since python3-ifcopenshell provides Python bindings, a victim might execute
a Python script from a directory (such as a downloaded dataset, extracted
archive, shared workspace, or /tmp) that contains an attacker-controlled
shared library. If this occurs, the malicious library will be loaded and
executed before the legitimate system library.

This issue falls under CWE-427 (Uncontrolled Search Path Element).

*Proof of Concept:*

*1. Create an attacker-controlled workspace:*

$ mkdir -p /tmp/malicious_workspace
$ cd /tmp/malicious_workspace

*2. Create the malicious payload:*

$ cat << 'EOF' > poc_ifc.c
#include <stdio.h>
#include <stdlib.h>