From a posting to the "oss-security" list:
SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
which included './'. This allowed unintentional code execution (e.g.
planted binary) and has been fixed by the developers in version 1.3.2.
From the upstream's repo, this was indeed fixed in rev 171, which is after 1.3.1 was released (rev 165), so 1.3.1 is vulnerable.
Gentoo Version 1.3.1_p20091114:
Gentoo Version 1.3.2:
My ACK for stablereq, proceed at security teams discretion since it hasn't been the normal 30 days.
Keywords: slim-1.3.1_p20091114: amd64 ppc ppc64 sparc x86
Keywords: slim-1.3.2: ~amd64 ~ppc ~ppc64 ~sparc ~x86
Arches, please test and mark stable:
Target keywords : "amd64 ppc ppc64 sparc x86"
Marked ppc stable.
sparc stable, closing
my job done, removing
(In reply to comment #9)
> my job done, removing
I see some vulnerable ebuilds in the tree to be removed.
GLSA vote: YES
(In reply to comment #10)
> (In reply to comment #9)
> > my job done, removing
> I see some vulnerable ebuilds in the tree to be removed.
+*slim-1.3.2-r2 (20 Sep 2010)
+ 20 Sep 2010; Jeremy Olexa <email@example.com>
+ -slim-1.3.1_p20091114.ebuild, -files/slim-1.3.1-config.diff,
+ -files/slim-1.3.1-gcc4.4.patch, -slim-1.3.2.ebuild, +slim-1.3.2-r2.ebuild,
+ -files/slim-1.3.2-config.diff, +files/slim-1.3.2-r2-config.diff,
+ Revbump to vastly improve the session handling. Work done by Ian
+ Stakenvicius in bug 334111. Also remove old and cleanup.
GLSA Vote: Yes, request filed.
The oldest version of x11-misc/slim currently in the tree is 1.3.5-r4. Shouldn't this bug be closed?
(In reply to Denis Dupeyron from comment #13)
> The oldest version of x11-misc/slim currently in the tree is 1.3.5-r4.
> Shouldn't this bug be closed?
No, we have no glsa released.
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).