From http://www.securityfocus.com/bid/44563/discuss: GNUCash is prone to a local privilege-escalation vulnerability. An attacker could exploit this issue by enticing an unsuspecting victim to run an application in a directory containing a malicious library file with a specific name. Exploiting this issue allows local attackers to execute arbitrary code with the privileges of the user running the affected application. GNUCash 2.3.15 is vulnerable; other versions may also be affected. I was unable to find an upstream bug, but if it helps, the red hat bug is at https://bugzilla.redhat.com/show_bug.cgi?id=644933.
+*gnucash-2.4.4 (15 Mar 2011) + + 15 Mar 2011; Pacho Ramos <pacho@gentoo.org> -gnucash-2.4.0.ebuild, + -files/gnucash-2.4.0-fix-tests-linking.patch, +gnucash-2.4.4.ebuild: + Version bump with a lot of bugfixes, remove old. + But, please, wait a bit for stabilizing as 2.4 includes many changes over current stable and has been just unmasked
(In reply to comment #1) > +*gnucash-2.4.4 (15 Mar 2011) > + > + 15 Mar 2011; Pacho Ramos <pacho@gentoo.org> -gnucash-2.4.0.ebuild, > + -files/gnucash-2.4.0-fix-tests-linking.patch, +gnucash-2.4.4.ebuild: > + Version bump with a lot of bugfixes, remove old. > + > > But, please, wait a bit for stabilizing as 2.4 includes many changes over > current stable and has been just unmasked Hi, Pacho. What do you think? Are you comfortable moving this forward? Thanks.
Sadly I think bug 359033 prevents us from stabilizing this, any help with that one is highly appreciated
(In reply to comment #3) > Sadly I think bug 359033 prevents us from stabilizing this, any help with that > one is highly appreciated Hi, Pacho, folks. Should we move to stabilize 2.4.5 now? Thanks!
I am really busy these days and couldn't test it :-/, but, if other gnome team member agrees with stabling it, ok :)
I've had no problems with 2.4 series yet and 2.4.5 has all build failure fixes we actually can do something about so I'm ok with stabilization.
(In reply to comment #6) > I've had no problems with 2.4 series yet and 2.4.5 has all build failure fixes > we actually can do something about so I'm ok with stabilization. Great, thanks again. Arches, please test and mark stable: =app-office/gnucash-2.4.5 Target keywords : "alpha amd64 ppc sparc x86"
Stable on alpha.
Does not work for me because of bug #344231
(In reply to comment #9) > Does not work for me because of bug #344231 That does not stop the build, it just makes it wait for a good amount of time for the find to complete (about 10 minutes on my laptop with python 2.6, 2.7 and 3.1).
x86 stable
x86 stable. Thanks.
amd64 done
sparc keyword dropped
ppc stable, last arch done
Thanks, everyone. GLSA request filed.
CVE-2010-3999 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999): gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
This issue was resolved and addressed in GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml by GLSA coordinator Sean Amoss (ackle).