199841 CVE-2005-4790 2007-11-20 23:25 0000 net-news/blam < 1.8.4 CWD in LD_LIBRARY_PATH (CVE-2005-4790) 2008-01-27 17:10:56 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org dotnet@gentoo.org jesse@boldandbusted.com latexer@gentoo.org rbu@gentoo.org 2007-11-20 23:25:20 0000 CVE-2005-4790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4790): Multiple untrusted search path vulnerabilities in SUSE Linux 9.3 and 10.0 cause the working directory to be added to LD_LIBRARY_PATH, which might allow local users to execute arbitrary code via (1) beagle, (2) tomboy, or (3) blam. rbu@gentoo.org 2007-11-20 23:28:50 0000 This bug is for blam. I'll attach a patch for this, please coordinate the inclusion upstream and apply in the ebuild. rbu@gentoo.org 2007-11-20 23:32:29 0000 Created an attachment (id=136557) blam-CVE-2005-4790-insecure-ldpath.patch py@gentoo.org 2007-12-09 00:04:53 0000 any news here? rbu@gentoo.org 2007-12-19 04:02:16 0000 Maintainers, please apply the attached patch. Otherwise we will have to bump the package ourselves or apply a p.mask. rbu@gentoo.org 2008-01-08 01:50:27 0000 Created an attachment (id=140433) blam-CVE-2005-4790-insecure-ldpath.patch The patch above was a wrong file, sorry. rbu@gentoo.org 2008-01-08 02:41:25 0000 *blam-1.8.4 (08 Jan 2008) 08 Jan 2008; Robert Buchholz <rbu@gentoo.org> -files/blam-1.6.0-gecko-fix.diff, -files/blam-1.6.1-mono-1.1.7-compat.diff, -files/blam-1.6.1-mono-1.1.7-compat-v2.diff, -files/blam-1.8.2-64-bit-int.diff, -files/blam-1.8.2-mono-1.1.17-fix.diff, -files/blam-1.8.2-seamonkey.patch, +blam-1.8.4.ebuild: Version bump by security for untrusted search path vulnerability (CVE-2005-4790, bug #199841). Cleaning up old patches. rbu@gentoo.org 2008-01-08 02:41:57 0000 Arches, please test and mark stable net-news/blam-1.8.4. Target keywords : "amd64 ppc x86" rbu@gentoo.org 2008-01-08 02:42:34 0000 *** Bug 187283 has been marked as a duplicate of this bug. *** fauli@gentoo.org 2008-01-08 09:27:01 0000 x86 stable welp@gentoo.org 2008-01-11 17:54:13 0000 amd64 done. dertobi123@gentoo.org 2008-01-11 19:42:13 0000 ppc stable jaervosz@gentoo.org 2008-01-13 14:04:10 0000 GLSA request filed. rbu@gentoo.org 2008-01-27 17:10:56 0000 GLSA 200801-14. 136557 2007-11-20 23:32 0000 blam-CVE-2005-4790-insecure-ldpath.patch blam-CVE-2005-4790-insecure-ldpath.patch text/plain SW5kZXg6IGJsYW0tMS44LjRwcmUyL2JsYW0uaW4KPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gYmxhbS0xLjguNHBy ZTIub3JpZy9ibGFtLmluCisrKyBibGFtLTEuOC40cHJlMi9ibGFtLmluCkBAIC0xLDQgKzEsNCBA QAogIyEvYmluL2Jhc2gKIAotTERfTElCUkFSWV9QQVRIPSJAcHJlZml4QC9saWI2NC9ibGFtOkBN T1pJTExBX0hPTUVAOiRMRF9MSUJSQVJZX1BBVEgiIE1PWklMTEFfRklWRV9IT01FPUBNT1pJTExB X0hPTUVAIFwKK0xEX0xJQlJBUllfUEFUSD0iQHByZWZpeEAvbGliNjQvYmxhbTpATU9aSUxMQV9I T01FQDoiIE1PWklMTEFfRklWRV9IT01FPUBNT1pJTExBX0hPTUVAIFwKIE1PWklMTEFfSE9NRT1A TU9aSUxMQV9IT01FQCBleGVjIC1hICdibGFtJyBtb25vIEBwcmVmaXhAL2xpYjY0L2JsYW0vYmxh bS5leGUgJEAK 140433 2008-01-08 01:50 0000 blam-CVE-2005-4790-insecure-ldpath.patch blam-secure-paths.patch text/plain LS0tIGJsYW0uaW4KKysrIGJsYW0uaW4KQEAgLTYsNyArNiw3IEBACiBNT1pJTExBX0ZJVkVfSE9N RT1ATU9aSUxMQV9IT01FQAogZXhwb3J0IE1PWklMTEFfRklWRV9IT01FCiAKLUxEX0xJQlJBUllf UEFUSD0iQHByZWZpeEAvbGliL2JsYW06QE1PWklMTEFfSE9NRUA6JExEX0xJQlJBUllfUEFUSCIK K0xEX0xJQlJBUllfUEFUSD0iQHByZWZpeEAvbGliL2JsYW06QE1PWklMTEFfSE9NRUAke0xEX0xJ QlJBUllfUEFUSCs6JExEX0xJQlJBUllfUEFUSH0iCiBleHBvcnQgTERfTElCUkFSWV9QQVRICiAK IGV4ZWMgbW9ubyBAcHJlZml4QC9saWIvYmxhbS9ibGFtLmV4ZSAkQAo=