Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 345561 (CVE-2010-4159)

Summary: dev-lang/mono: Binary Planting Vulnerability (CVE-2010-4159)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dotnet
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/mono/mono/commit/d3985be4e45a001e73fdcc47db190b3df61b2a51
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 352808, 359651    
Bug Blocks:    

Description Tim Sammut (RETIRED) gentoo-dev 2010-11-15 04:38:21 UTC 
From http://www.openwall.com/lists/oss-security/2010/11/10/3: 

"http://www.mono-project.com/DllNotFoundException explains that the mono 
runtime searches the current working directory for DLLs.  This opens a serious security hole.  Malicious code can be given the same name as a DLL and left in a directory the user might visit.  Also, it means that no mono application can
safely set the current working directory.

Microsoft themselves addressed this issue in Windows
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx

It's a well known "dummies" question for Unix why you must not have "." on 
your path http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html

Mono is exposing users to these same old hat problems.

(As a related problem, many mono programs seem to *assume* that they will be
run with the CWD set to their installed directory, and break if it isn't.)"
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:26:03 UTC 
Mono 2.8.1 contains this fix and has been released upstream.
Comment 2 Pacho Ramos gentoo-dev 2010-11-22 09:19:36 UTC 
But, if we are going to stabilize a newer mono version to fix this one, I would prefer to find time for backporting the patch to mono-2.6 series, since I doubt mono-2.8 is ready to go stable
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:02:09 UTC 
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:37:59 UTC 
CVE-2010-4159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4159):
  Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 and
  earlier allows local users to gain privileges via a Trojan horse shared
  library in the current working directory.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:51:17 UTC 
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:36 UTC 
This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).