- Package:
- python3-ledger
- Source:
- python3-ledger
- Description:
- command-line double-entry accounting program (python3 extension)
- Submitter:
- Jonathan Trowbridge
- Date:
- 2026-06-04 23:37:02 UTC
- Severity:
- normal
- Tags:
*Summary:* The python3-ledger Debian package installs the Python extension module: /usr/lib/python3/dist-packages/ledger.cpython-313-aarch64-linux-gnu.so This library contains a RUNPATH consisting entirely of empty path elements: RUNPATH [:::::::::::::::] Empty entries in an ELF RUNPATH are interpreted by the dynamic linker as the current working directory (CWD). As a result, when ledger.cpython-313-aarch64-linux-gnu.so resolves its dependencies, the dynamic linker searches the process working directory before falling back to the system library paths. This permits library search path hijacking if an attacker can place a malicious shared library in a directory from which a victim executes software that imports the ledger module. *Impact:* An attacker can cause execution of attacker-controlled code in the security context of the user running the affected application. Since python3-ledger provides Python bindings, a victim might execute a Python script from a directory (such as a downloaded dataset, extracted archive, shared workspace, or /tmp) that contains an attacker-controlled shared library. If this occurs, the malicious library will be loaded and executed before the legitimate system library. This issue falls under CWE-427 (Uncontrolled Search Path Element). *Proof of Concept:* *1. Create an attacker-controlled workspace:* $ mkdir -p /tmp/malicious_workspace $ cd /tmp/malicious_workspace *2. Create the malicious payload:* $ cat << 'EOF' > poc_ledger.c #include <stdio.h> #include <stdlib.h>
We believe that the bug you reported is fixed in the latest version of
ledger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1138597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bremner <bremner@debian.org> (supplier of updated ledger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 04 Jun 2026 07:41:00 +0900
Source: ledger
Architecture: source
Version: 3.4.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: David Bremner <bremner@debian.org>
Closes: 1049313 1138597
Changes:
ledger (3.4.0-3) unstable; urgency=medium
.
* Bug fix: "Library search path hijacking via empty RUNPATH elements",
thanks to Jonathan Trowbridge (Closes: #1138597).
* Orphan package
.
ledger (3.4.0-2) unstable; urgency=medium
.
* Add doc/version.texi to d/clean (Closes: #1049313).
Checksums-Sha1:
a420ceeb96ac15a01621408f98e3fa76d9abe175 1697 ledger_3.4.0-3.dsc
e430556837e19b147a2af269be6694837d45eedb 8608 ledger_3.4.0-3.debian.tar.xz
Checksums-Sha256:
685b6bf3b4f52857666bd849d6b8f7dd6ec6d66200f339f2e3ad9e8c8d6a073e 1697 ledger_3.4.0-3.dsc
b8109c6ba96854951c54a0d52bb088e8aeb8eb29f60844bbe7d660d1fc7855d5 8608 ledger_3.4.0-3.debian.tar.xz
Files:
debb0713ca45491c6643d6475900073f 1697 utils optional ledger_3.4.0-3.dsc
6ab8e3d572efe3c8ab30e8b72a103ee2 8608 utils optional ledger_3.4.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQS5beC2erx2PFqyC7XhcL+0NDTnAAUCaiIGuwAKCRDhcL+0NDTn
AMKYAPoCbmbC2LwmJb95Xj3KwdZC5VBRfHOp9rHh+kbBB0cEyQEAiMcPd7hyu27q
xamLpw3CLAUXFHWgQHWueLHReFJuGAs=
=aUNY
-----END PGP SIGNATURE-----