372709 – (CVE-2010-3351) <media-sound/bristol-0.60.9: LD_LIBRARY_PATH trojan horse inclusion possible (CVE-2010-3351)

Bug 372709 (CVE-2010-3351) - <media-sound/bristol-0.60.9: LD_LIBRARY_PATH trojan horse inclusion possible (CVE-2010-3351)

Summary: <media-sound/bristol-0.60.9: LD_LIBRARY_PATH trojan horse inclusion possible ...

Status:	RESOLVED FIXED

Alias:	CVE-2010-3351

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-06-23 20:08 UTC by GLSAMaker/CVETool Bot
Modified:	2011-10-27 20:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2011-06-23 20:08:30 UTC

CVE-2010-3351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3351):
  startBristol in Bristol 0.60.5 places a zero-length directory name in the
  LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan
  horse shared library in the current working directory.

Comment 1 Tim Harder gentoo-dev

2011-10-27 05:17:17 UTC

This should be fixed in 0.60.9 now in CVS.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-10-27 20:57:45 UTC

(In reply to comment #1)
> This should be fixed in 0.60.9 now in CVS.

Thank you. Closing noglsa for ~arch only package.