"http://www.mono-project.com/DllNotFoundException explains that the mono
runtime searches the current working directory for DLLs. This opens a serious security hole. Malicious code can be given the same name as a DLL and left in a directory the user might visit. Also, it means that no mono application can
safely set the current working directory.
Microsoft themselves addressed this issue in Windows
It's a well known "dummies" question for Unix why you must not have "." on
your path http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html
Mono is exposing users to these same old hat problems.
(As a related problem, many mono programs seem to *assume* that they will be
run with the CWD set to their installed directory, and break if it isn't.)"
Mono 2.8.1 contains this fix and has been released upstream.
But, if we are going to stabilize a newer mono version to fix this one, I would prefer to find time for backporting the patch to mono-2.6 series, since I doubt mono-2.8 is ready to go stable
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.
GLSA Vote: yes.
Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 and
earlier allows local users to gain privileges via a Trojan horse shared
library in the current working directory.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in
GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).