Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 348340 - <net-ftp/bareftp-0.3.7: Insecure LD_LIBRARY_PATH Issue (CVE-2010-3350)
Summary: <net-ftp/bareftp-0.3.7: Insecure LD_LIBRARY_PATH Issue (CVE-2010-3350)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/42521/
Whiteboard: ~3 [noglsa]
Keywords:
: 337529 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-12-10 06:39 UTC by Tim Sammut (RETIRED)
Modified: 2011-01-01 23:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-12-10 06:39:39 UTC 
From the Secunia advisory at $URL:

Description
A security issue has been reported in bareFTP, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the "bareftp" script incorrectly setting the environment variable LD_LIBRARY_PATH. This can be exploited to gain escalated privileges e.g. by tricking a user into running the script in a directory containing a malicious library.

Solution
Update to version 0.3.6.
Comment 1 Pacho Ramos gentoo-dev 2010-12-10 18:43:00 UTC 
Bumped:

+*bareftp-0.3.7 (10 Dec 2010)
+
+  10 Dec 2010; Pacho Ramos <pacho@gentoo.org> -bareftp-0.3.4.ebuild,
+  +bareftp-0.3.7.ebuild:
+  Version bump with bugfixes, including a fix for tests and a security one (bug
+  #348340). Remove old.
+
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-12-10 18:54:41 UTC 
(In reply to comment #1)
> Bumped:
> 

Thanks! Closing noglsa.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 23:03:22 UTC 
*** Bug 337529 has been marked as a duplicate of this bug. ***