Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 333661 (CVE-2010-2945) - <x11-misc/slim-1.3.2: Insecure PATH Assignment (CVE-2010-2945)
Summary: <x11-misc/slim-1.3.2: Insecure PATH Assignment (CVE-2010-2945)
Status: RESOLVED FIXED
Alias: CVE-2010-2945
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://svn.berlios.de/wsvn/slim?op=co...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-20 17:40 UTC by Tim Sammut (RETIRED)
Modified: 2014-12-12 00:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-08-20 17:40:12 UTC
From a posting to the "oss-security" list:

SLiM versions prior to 1.3.1 assigned logged on users a predefined PATH
which included './'. This allowed unintentional code execution (e.g.
planted binary) and has been fixed by the developers in version 1.3.2.

From the upstream's repo, this was indeed fixed in rev 171, which is after 1.3.1 was released (rev 165), so 1.3.1 is vulnerable.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-20 18:15:02 UTC
Gentoo Version 1.3.1_p20091114:

default_path        ./:/bin:/usr/bin:/usr/local/bin

Gentoo Version 1.3.2:

default_path        /bin:/usr/bin:/usr/local/bin

My ACK for stablereq, proceed at security teams discretion since it hasn't been the normal 30 days.

Keywords: slim-1.3.1_p20091114[0]: amd64 ppc ppc64 sparc x86 
Keywords: slim-1.3.2[0]: ~amd64 ~ppc ~ppc64 ~sparc ~x86
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-08-28 21:13:13 UTC
Arches, please test and mark stable:
=x11-misc/slim-1.3.2-r1
Target keywords : "amd64 ppc ppc64 sparc x86"
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-08-28 22:45:46 UTC
amd64 done
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-28 23:34:10 UTC
x86 stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:14:18 UTC
ppc64 done
Comment 6 Joe Jezak (RETIRED) gentoo-dev 2010-09-12 14:05:35 UTC
Marked ppc stable.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2010-09-12 15:30:31 UTC
sparc stable, closing
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-09-12 15:30:46 UTC
Reopening, sorry
Comment 9 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-20 14:53:37 UTC
my job done, removing
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-20 15:09:06 UTC
(In reply to comment #9)
> my job done, removing
> 

I see some vulnerable ebuilds in the tree to be removed.

GLSA vote: YES
Comment 11 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-20 15:25:06 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > my job done, removing
> > 
> 
> I see some vulnerable ebuilds in the tree to be removed.

already done.

+*slim-1.3.2-r2 (20 Sep 2010)
+
+  20 Sep 2010; Jeremy Olexa <darkside@gentoo.org>
+  -slim-1.3.1_p20091114.ebuild, -files/slim-1.3.1-config.diff,
+  -files/slim-1.3.1-gcc4.4.patch, -slim-1.3.2.ebuild, +slim-1.3.2-r2.ebuild,
+  -files/slim-1.3.2-config.diff, +files/slim-1.3.2-r2-config.diff,
+  +files/Xsession:
+  Revbump to vastly improve the session handling. Work done by Ian
+  Stakenvicius in bug 334111. Also remove old and cleanup.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2010-10-01 04:14:54 UTC
GLSA Vote: Yes, request filed.
Comment 13 Denis Dupeyron (RETIRED) gentoo-dev 2014-02-03 16:13:00 UTC
The oldest version of x11-misc/slim currently in the tree is 1.3.5-r4. Shouldn't this bug be closed?

Denis.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-03 17:19:53 UTC
(In reply to Denis Dupeyron from comment #13)
> The oldest version of x11-misc/slim currently in the tree is 1.3.5-r4.
> Shouldn't this bug be closed?
> 
> Denis.

No,  we have no glsa released.
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:35:09 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).