Bugtraq and Secunia published announcements that gnome-session from Gnome 2.x contains a local privilege escalation vulnerability due to a problem with initialization of the LD_LIBRARY_PATH environment variable upon session start-up. Thus it might be possible to gain escalated privileges. Reproducible: Couldn't Reproduce Steps to Reproduce: 1. 2. 3. The announcements from bugtraq and secunia.com: http://secunia.com/advisories/11224/ http://www.securityfocus.com/bid/9988/discussion/ The vulnerability was disclosed by Connectiva in one their advisories today: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000823 Connectiva released fixed packages for their Enterprise Edition but unfortunately there seems to be no information about the fix or the details of the bug in the advisory or somewhere else (bugzilla at gnome.org). Secunia states that access to gnome-session should only be granted to trusted users. I'm not sure if this really an issue for us because there was little information, but perhaps somebody has an idea about this.
gnome team: comments?
hmm. our Gnome session script doesn't set the LD_LIBRARY, I don't think we are vulnerable here. Anyone else? The issue is that the wrapper scripts exported LD_LIBRARY_PATH="/neW/path:${LD_LIBRARY_PATH}" Which lead to exploits if LD_LIBRARY_PATH was unset before this, as . was then appended to the path, and that allows arbitary execution. This is an issue in all shellscripts and a pretty nasty one as it can be exploited pretty much like the old "ls" one (PATH=":.:" )
http://www.gnome.org/~markmc/blog/06042004 ( session maintainer ) This is not a problem for us, we don't supply such a script. Connectiva only it seems. This can be closed with the security teams consent.
however we may be vulnerable about this in other scripts provided by the system.
we're not vulnerable to this specific exploit, so closing.