Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 346401 (CVE-2010-3369) - <dev-util/mono-debugger-2.8.1-r1: Insecure Use of LD_LIBRARY_PATH (CVE-2010-3369)
Summary: <dev-util/mono-debugger-2.8.1-r1: Insecure Use of LD_LIBRARY_PATH (CVE-2010-3...
Alias: CVE-2010-3369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 352808 359651
  Show dependency tree
Reported: 2010-11-22 04:31 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-21 20:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:31:20 UTC
From $URL:

The mono debugger scripts (mdb and mdb-symbolreader) misuse the LD_LIBRARY_PATH environment variable (empty case) which could allow loading shared libraries from the current directory. 

Upstream has released 2.8.1 which contains the fix for this issue.
Comment 1 Pacho Ramos gentoo-dev 2010-11-22 09:22:20 UTC
This patch could probably be backported to mono-debugger-2.6:
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:02:39 UTC
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:43:24 UTC
Vote: YES. New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:41 UTC
This issue was resolved and addressed in
 GLSA 201206-13 at
by GLSA coordinator Tobias Heinlein (keytoaster).