Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 346401 (CVE-2010-3369) - <dev-util/mono-debugger-2.8.1-r1: Insecure Use of LD_LIBRARY_PATH (CVE-2010-3369)
Summary: <dev-util/mono-debugger-2.8.1-r1: Insecure Use of LD_LIBRARY_PATH (CVE-2010-3...
Status: RESOLVED FIXED
Alias: CVE-2010-3369
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.mono-project.com/Vulnerabi...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 352808 359651
Blocks:
  Show dependency tree
 
Reported: 2010-11-22 04:31 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-21 20:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:31:20 UTC 
From $URL:

The mono debugger scripts (mdb and mdb-symbolreader) misuse the LD_LIBRARY_PATH environment variable (empty case) which could allow loading shared libraries from the current directory. 

Upstream has released 2.8.1 which contains the fix for this issue.
Comment 1 Pacho Ramos gentoo-dev 2010-11-22 09:22:20 UTC 
This patch could probably be backported to mono-debugger-2.6:
http://patch-tracker.debian.org/patch/series/view/mono-debugger/2.6.3-2.2/cve-2010-3369--bug598299
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:02:39 UTC 
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:43:24 UTC 
Vote: YES. New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:41 UTC 
This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).