Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 345561 (CVE-2010-4159) - dev-lang/mono: Binary Planting Vulnerability (CVE-2010-4159)
Summary: dev-lang/mono: Binary Planting Vulnerability (CVE-2010-4159)
Status: RESOLVED FIXED
Alias: CVE-2010-4159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://github.com/mono/mono/commit/d...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 352808 359651
Blocks:
  Show dependency tree
 
Reported: 2010-11-15 04:38 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-21 20:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-15 04:38:21 UTC
From http://www.openwall.com/lists/oss-security/2010/11/10/3: 

"http://www.mono-project.com/DllNotFoundException explains that the mono 
runtime searches the current working directory for DLLs.  This opens a serious security hole.  Malicious code can be given the same name as a DLL and left in a directory the user might visit.  Also, it means that no mono application can
safely set the current working directory.

Microsoft themselves addressed this issue in Windows
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx

It's a well known "dummies" question for Unix why you must not have "." on 
your path http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html

Mono is exposing users to these same old hat problems.

(As a related problem, many mono programs seem to *assume* that they will be
run with the CWD set to their installed directory, and break if it isn't.)"
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:26:03 UTC
Mono 2.8.1 contains this fix and has been released upstream.
Comment 2 Pacho Ramos gentoo-dev 2010-11-22 09:19:36 UTC
But, if we are going to stabilize a newer mono version to fix this one, I would prefer to find time for backporting the patch to mono-2.6 series, since I doubt mono-2.8 is ready to go stable
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:02:09 UTC
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:37:59 UTC
CVE-2010-4159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4159):
  Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 and
  earlier allows local users to gain privileges via a Trojan horse shared
  library in the current working directory.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:51:17 UTC
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:36 UTC
This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).