Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412481 (CVE-2012-0883) - <www-servers/apache-2.2.22-r1 : LD_LIBRARY_PATH Security Issue (CVE-2012-0883)
Summary: <www-servers/apache-2.2.22-r1 : LD_LIBRARY_PATH Security Issue (CVE-2012-0883)
Alias: CVE-2012-0883
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
: 412641 (view as bug list)
Depends on:
Reported: 2012-04-18 07:59 UTC by Agostino Sarubbo
Modified: 2012-06-24 14:29 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-18 07:59:34 UTC
From secunia security advisory at $URL:

A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the application incorrectly setting the environment variable LD_LIBRARY_PATH. This can be exploited to gain escalated privileges by e.g. tricking a user into running certain scripts in a directory containing a malicious library.

The security issue is reported in versions prior to 2.4.2.

Update to version 2.4.2.
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-18 08:01:21 UTC

Since there is no fix in 2.2 version, I'd say that vulnerability was introduced in 2.4.x branch, can you check please?
Comment 2 Tomas Hoger 2012-04-18 08:33:25 UTC
(In reply to comment #1)
> Since there is no fix in 2.2 version, I'd say that vulnerability was
> introduced in 2.4.x branch, can you check please?

The fix is proposed for inclusion in 2.2:
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-04-18 16:22:08 UTC
(In reply to comment #2)
> The fix is proposed for inclusion in 2.2:

Thanks, Tomas.

@apache, from that URL:

+    Trunk patch:
+    2.2.x patch: Trunk patch works
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-04-19 14:11:45 UTC
*** Bug 412641 has been marked as a duplicate of this bug. ***
Comment 5 Patrick Lauer gentoo-dev 2012-04-20 04:24:11 UTC
+  20 Apr 2012; Patrick Lauer <> +apache-2.2.22-r1.ebuild,
+  +files/
+  Fix for #412481

Since the patch is very simple I committed it with stable keywords. Hope that makes everyone happy :)
Comment 6 Patrick Lauer gentoo-dev 2012-04-20 04:35:23 UTC
2.4.2 is in tree (but masked as 2.4 needs some more massaging to be nice)
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-04-20 06:13:49 UTC
Thanks muchly. Added to existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:41:07 UTC
CVE-2012-0883 (
  envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a
  zero-length directory name in the LD_LIBRARY_PATH, which allows local users
  to gain privileges via a Trojan horse DSO in the current working directory
  during execution of apachectl.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:35 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at
by GLSA coordinator Tobias Heinlein (keytoaster).