Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188806 - app-misc/tomboy set dangerous LD_LIBRARY_PATH on start
Summary: app-misc/tomboy set dangerous LD_LIBRARY_PATH on start
Status: RESOLVED DUPLICATE of bug 189249
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Runpath Issues (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-14 11:37 UTC by Jan Oravec
Modified: 2007-08-23 12:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Oravec 2007-08-14 11:37:12 UTC
/usr/bin/tomboy from app-misc/tomboy contains line:

    export LD_LIBRARY_PATH="/usr/lib64/tomboy:$LD_LIBRARY_PATH"

which yields to LD_LIBRARY_PATH="/usr/lib64/tomboy:", what means that required libraries are also looked up in current directory. In the case of tomboy, it is usually user's home directory, but user may run application from directories like /tmp as well. If someone is able to copy bogus system libraries to this directory, user could potentially run enemy code.



Reproducible: Always

Steps to Reproduce:
1. copy bogus glibc to ~
2. run tomboy
3. profit!
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-23 12:15:49 UTC

*** This bug has been marked as a duplicate of bug 189249 ***