Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 346401 (CVE-2010-3369)

Summary: <dev-util/mono-debugger-2.8.1-r1: Insecure Use of LD_LIBRARY_PATH (CVE-2010-3369)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dotnet
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mono-project.com/Vulnerabilities
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 352808, 359651    
Bug Blocks:    

Description Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:31:20 UTC 
From $URL:

The mono debugger scripts (mdb and mdb-symbolreader) misuse the LD_LIBRARY_PATH environment variable (empty case) which could allow loading shared libraries from the current directory. 

Upstream has released 2.8.1 which contains the fix for this issue.
Comment 1 Pacho Ramos gentoo-dev 2010-11-22 09:22:20 UTC 
This patch could probably be backported to mono-debugger-2.6:
http://patch-tracker.debian.org/patch/series/view/mono-debugger/2.6.3-2.2/cve-2010-3369--bug598299
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:02:39 UTC 
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:43:24 UTC 
Vote: YES. New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:41 UTC 
This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).