Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 188806
Alias:
Product:
Component:
Status: RESOLVED
Resolution: DUPLICATE of bug 189249
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jan Oravec <jan.oravec@6com.sk>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 188806 depends on: Show dependency tree
Bug 188806 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-08-14 11:37 0000 
/usr/bin/tomboy from app-misc/tomboy contains line:

    export LD_LIBRARY_PATH="/usr/lib64/tomboy:$LD_LIBRARY_PATH"

which yields to LD_LIBRARY_PATH="/usr/lib64/tomboy:", what means that required
libraries are also looked up in current directory. In the case of tomboy, it is
usually user's home directory, but user may run application from directories
like /tmp as well. If someone is able to copy bogus system libraries to this
directory, user could potentially run enemy code.



Reproducible: Always

Steps to Reproduce:
1. copy bogus glibc to ~
2. run tomboy
3. profit!

------- Comment #1 From Pierre-Yves Rofes 2007-08-23 12:15:49 0000 ------- 

*** This bug has been marked as a duplicate of bug 189249 ***
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug