GNOME Bugzilla – Bug 485224
[PATCH] Insecure LD_LIBRARY_PATH Privilege Escalation
Last modified: 2008-02-26 20:46:36 UTC
Please describe the problem: Quoting from [1]: /usr/bin/tomboy from app-misc/tomboy contains line: export LD_LIBRARY_PATH="/usr/lib64/tomboy:$LD_LIBRARY_PATH" which yields to LD_LIBRARY_PATH="/usr/lib64/tomboy:", what means that required libraries are also looked up in current directory. In the case of tomboy, it is usually user's home directory, but user may run application from directories like /tmp as well. If someone is able to copy bogus system libraries to this directory, user could potentially run enemy code. Please refer to [1] and [2] for details. [1] https://bugs.gentoo.org/188806 [2] http://secunia.com/advisories/26480/ Steps to reproduce: Actual results: Expected results: Does this happen every time? Other information:
Created attachment 97264 [details] [review] tomboy-trunk-insecure-ldpath.patch Should fix this issue.
Looks fine to me. I guess requiring bash isn't a big deal?
I researched again, this kind of expansion is POSIX and not bash specific as I first thought. A quick test also confirmed this.
ping
Applied to SVN Trunk (r1629) and to gnome-2-20 branch (r1630). Thanks for the report and patch!