337534 – (debian-ldlibpath) [TRACKER] Insecure LD_LIBRARY_PATH setting bugs found in Debian

Bug 337534 (debian-ldlibpath) - [TRACKER] Insecure LD_LIBRARY_PATH setting bugs found in Debian

Summary: [TRACKER] Insecure LD_LIBRARY_PATH setting bugs found in Debian

Status:	RESOLVED OBSOLETE

Alias:	debian-ldlibpath

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:	Tracker

Depends on:	337529 CVE-2010-3394
Blocks:
	Show dependency tree

Reported:	2010-09-15 18:07 UTC by Alex Legler (RETIRED)
Modified:	2013-09-02 13:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2010-09-15 18:07:55 UTC

As posted to vendor-sec by Raphael Geissert:

"During a review of the Debian archive I've found multiple packages with 
insecure modifications to LD_LIBRARY_PATH, which allow libraries to be loaded 
from the CWD (like CVE-2010-2953 or the older CVE-2005-4790 and 
CVE-2005-4791.)"