From a posting to the "oss-security" list: SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH which included './'. This allowed unintentional code execution (e.g. planted binary) and has been fixed by the developers in version 1.3.2. From the upstream's repo, this was indeed fixed in rev 171, which is after 1.3.1 was released (rev 165), so 1.3.1 is vulnerable.
Gentoo Version 1.3.1_p20091114: default_path ./:/bin:/usr/bin:/usr/local/bin Gentoo Version 1.3.2: default_path /bin:/usr/bin:/usr/local/bin My ACK for stablereq, proceed at security teams discretion since it hasn't been the normal 30 days. Keywords: slim-1.3.1_p20091114[0]: amd64 ppc ppc64 sparc x86 Keywords: slim-1.3.2[0]: ~amd64 ~ppc ~ppc64 ~sparc ~x86
Arches, please test and mark stable: =x11-misc/slim-1.3.2-r1 Target keywords : "amd64 ppc ppc64 sparc x86"
amd64 done
x86 stable
ppc64 done
Marked ppc stable.
sparc stable, closing
Reopening, sorry
my job done, removing
(In reply to comment #9) > my job done, removing > I see some vulnerable ebuilds in the tree to be removed. GLSA vote: YES
(In reply to comment #10) > (In reply to comment #9) > > my job done, removing > > > > I see some vulnerable ebuilds in the tree to be removed. already done. +*slim-1.3.2-r2 (20 Sep 2010) + + 20 Sep 2010; Jeremy Olexa <darkside@gentoo.org> + -slim-1.3.1_p20091114.ebuild, -files/slim-1.3.1-config.diff, + -files/slim-1.3.1-gcc4.4.patch, -slim-1.3.2.ebuild, +slim-1.3.2-r2.ebuild, + -files/slim-1.3.2-config.diff, +files/slim-1.3.2-r2-config.diff, + +files/Xsession: + Revbump to vastly improve the session handling. Work done by Ian + Stakenvicius in bug 334111. Also remove old and cleanup.
GLSA Vote: Yes, request filed.
The oldest version of x11-misc/slim currently in the tree is 1.3.5-r4. Shouldn't this bug be closed? Denis.
(In reply to Denis Dupeyron from comment #13) > The oldest version of x11-misc/slim currently in the tree is 1.3.5-r4. > Shouldn't this bug be closed? > > Denis. No, we have no glsa released.
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).