Bug 356583 (CVE-2010-4005)

Comment 1 Pacho Ramos 2011-02-26 17:10:21 UTC

+*tomboy-1.4.2-r1 (26 Feb 2011)
+
+  26 Feb 2011; Pacho Ramos <pacho@gentoo.org> +tomboy-1.4.2-r1.ebuild,
+  +files/tomboy-1.4.2-insecure-path.patch:
+  Fix tomboy insecure LD_LIBRARY_PATH (CVE-2010-4005).
+

I am ok with CCing arches as soon as you need

Comment 2 Paweł Hajdan, Jr. (RETIRED) 2011-02-26 17:51:00 UTC

Thank you. Arches, please stabilize =app-misc/tomboy-1.4.2-r1

Comment 3 Agostino Sarubbo 2011-02-27 11:53:47 UTC

amd64 ok

Comment 4 Markos Chandras (RETIRED) 2011-02-27 13:55:45 UTC

amd64 done. Thanks Agostino

Comment 5 Christian Faulhammer (RETIRED) 2011-02-27 16:03:46 UTC

x86 stable

Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) 2011-03-02 11:43:48 UTC

ppc stable

Comment 7 Tim Sammut (RETIRED) 2011-03-03 07:11:45 UTC

Thanks, everyone. GLSA request filed.

Comment 8 GLSAMaker/CVETool Bot 2011-06-24 19:57:30 UTC

CVE-2010-4005 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4005):
  The (1) tomboy and (2) tomboy-panel scripts in GNOME Tomboy 1.5.2 and
  earlier place a zero-length directory name in the LD_LIBRARY_PATH, which
  allows local users to gain privileges via a Trojan horse shared library in
  the current working directory.  NOTE: vector 1 exists because of an
  incorrect fix for CVE-2005-4790.2.

Comment 9 Pacho Ramos 2012-09-29 10:08:34 UTC

Vulnerable versions were dropped long time ago

Comment 10 Justin Lecher (RETIRED) 2013-04-30 12:13:17 UTC

This one is fixed as it seems.

Comment 11 GLSAMaker/CVETool Bot 2014-01-26 01:29:37 UTC

This issue was resolved and addressed in
 GLSA 201401-28 at http://security.gentoo.org/glsa/glsa-201401-28.xml
by GLSA coordinator Sean Amoss (ackle).