Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 344059 (CVE-2010-3999) - <app-office/gnucash-2.4.4: Local Privilege Escalation Vulnerability (CVE-2010-3999)
Summary: <app-office/gnucash-2.4.4: Local Privilege Escalation Vulnerability (CVE-2010...
Status: RESOLVED FIXED
Alias: CVE-2010-3999
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://lists.fedoraproject.org/piperm...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 359033
Blocks:
  Show dependency tree
 
Reported: 2010-11-04 01:20 UTC by Tim Sammut (RETIRED)
Modified: 2014-12-12 00:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-04 01:20:06 UTC
From http://www.securityfocus.com/bid/44563/discuss:

GNUCash is prone to a local privilege-escalation vulnerability.

An attacker could exploit this issue by enticing an unsuspecting victim to run an application in a directory containing a malicious library file with a specific name. Exploiting this issue allows local attackers to execute arbitrary code with the privileges of the user running the affected application.

GNUCash 2.3.15 is vulnerable; other versions may also be affected. 


I was unable to find an upstream bug, but if it helps, the red hat bug is at https://bugzilla.redhat.com/show_bug.cgi?id=644933.
Comment 1 Pacho Ramos gentoo-dev 2011-03-15 10:04:42 UTC
+*gnucash-2.4.4 (15 Mar 2011)
+
+  15 Mar 2011; Pacho Ramos <pacho@gentoo.org> -gnucash-2.4.0.ebuild,
+  -files/gnucash-2.4.0-fix-tests-linking.patch, +gnucash-2.4.4.ebuild:
+  Version bump with a lot of bugfixes, remove old.
+

But, please, wait a bit for stabilizing as 2.4 includes many changes over current stable and has been just unmasked
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-04-15 03:27:27 UTC
(In reply to comment #1)
> +*gnucash-2.4.4 (15 Mar 2011)
> +
> +  15 Mar 2011; Pacho Ramos <pacho@gentoo.org> -gnucash-2.4.0.ebuild,
> +  -files/gnucash-2.4.0-fix-tests-linking.patch, +gnucash-2.4.4.ebuild:
> +  Version bump with a lot of bugfixes, remove old.
> +
> 
> But, please, wait a bit for stabilizing as 2.4 includes many changes over
> current stable and has been just unmasked

Hi, Pacho. What do you think? Are you comfortable moving this forward? Thanks.
Comment 3 Pacho Ramos gentoo-dev 2011-04-15 09:00:01 UTC
Sadly I think bug 359033 prevents us from stabilizing this, any help with that one is highly appreciated
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-05-01 03:08:55 UTC
(In reply to comment #3)
> Sadly I think bug 359033 prevents us from stabilizing this, any help with that
> one is highly appreciated

Hi, Pacho, folks.

Should we move to stabilize 2.4.5 now? Thanks!
Comment 5 Pacho Ramos gentoo-dev 2011-05-01 09:45:35 UTC
I am really busy these days and couldn't test it :-/, but, if other gnome team member agrees with stabling it, ok :)
Comment 6 Gilles Dartiguelongue (RETIRED) gentoo-dev 2011-05-02 09:05:53 UTC
I've had no problems with 2.4 series yet and 2.4.5 has all build failure fixes we actually can do something about so I'm ok with stabilization.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-05-02 14:37:31 UTC
(In reply to comment #6)
> I've had no problems with 2.4 series yet and 2.4.5 has all build failure fixes
> we actually can do something about so I'm ok with stabilization.

Great, thanks again.

Arches, please test and mark stable:
=app-office/gnucash-2.4.5
Target keywords : "alpha amd64 ppc sparc x86"
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2011-05-02 16:53:24 UTC
Stable on alpha.
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-05-03 10:39:48 UTC
Does not work for me because of bug #344231
Comment 10 Gilles Dartiguelongue (RETIRED) gentoo-dev 2011-05-03 14:34:43 UTC
(In reply to comment #9)
> Does not work for me because of bug #344231

That does not stop the build, it just makes it wait for a good amount of time for the find to complete (about 10 minutes on my laptop with python 2.6, 2.7 and 3.1).
Comment 11 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-04 17:50:04 UTC
x86 stable
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2011-05-04 17:53:29 UTC
x86 stable. Thanks.
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2011-05-04 19:34:49 UTC
amd64 done
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2011-05-07 18:35:46 UTC
sparc keyword dropped
Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-22 18:23:37 UTC
ppc stable, last arch done
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:32:00 UTC
Thanks, everyone. GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 19:57:12 UTC
CVE-2010-3999 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999):
  gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory
  name in the LD_LIBRARY_PATH, which allows local users to gain privileges via
  a Trojan horse shared library in the current working directory.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:36:07 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).