Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 345561 (CVE-2010-4159) - dev-lang/mono: Binary Planting Vulnerability (CVE-2010-4159)
Summary: dev-lang/mono: Binary Planting Vulnerability (CVE-2010-4159)
Alias: CVE-2010-4159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on: 352808 359651
  Show dependency tree
Reported: 2010-11-15 04:38 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-21 20:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-11-15 04:38:21 UTC

" explains that the mono 
runtime searches the current working directory for DLLs.  This opens a serious security hole.  Malicious code can be given the same name as a DLL and left in a directory the user might visit.  Also, it means that no mono application can
safely set the current working directory.

Microsoft themselves addressed this issue in Windows

It's a well known "dummies" question for Unix why you must not have "." on 
your path

Mono is exposing users to these same old hat problems.

(As a related problem, many mono programs seem to *assume* that they will be
run with the CWD set to their installed directory, and break if it isn't.)"
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:26:03 UTC
Mono 2.8.1 contains this fix and has been released upstream.
Comment 2 Pacho Ramos gentoo-dev 2010-11-22 09:19:36 UTC
But, if we are going to stabilize a newer mono version to fix this one, I would prefer to find time for backporting the patch to mono-2.6 series, since I doubt mono-2.8 is ready to go stable
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:02:09 UTC
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: yes.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:37:59 UTC
CVE-2010-4159 (
  Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 and
  earlier allows local users to gain privileges via a Trojan horse shared
  library in the current working directory.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:51:17 UTC
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:36 UTC
This issue was resolved and addressed in
 GLSA 201206-13 at
by GLSA coordinator Tobias Heinlein (keytoaster).