After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 635614 - tomboy insecure LD_LIBRARY_PATH
tomboy insecure LD_LIBRARY_PATH
Status: RESOLVED FIXED
Product: tomboy
Classification: Applications
Component: General
unspecified
Other Linux
: Normal critical
: ---
Assigned To: Tomboy Maintainers
Tomboy Maintainers
Depends on:
Blocks:
 
 
Reported: 2010-11-23 13:56 UTC by Luis Medinas
Modified: 2010-12-03 13:48 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
CVE-2010-4005 (1.41 KB, patch)
2010-11-23 13:58 UTC, Luis Medinas 		none Details | Review

Description Luis Medinas 2010-11-23 13:56:11 UTC 
Bug originally reported on https://bugzilla.novell.com/show_bug.cgi?id=642830

"The following files set LD_LIBRARY_PATH in a way that allows empty elements
which means the current directory is included:

/usr/bin/tomboy (+: instead of :+:)
/usr/bin/tomboy-panel (+: instead of :+:)"

Banshee already fixed this issue on git. Attaching a patch to fix this issue on tomboy.
Comment 1 Luis Medinas 2010-11-23 13:58:55 UTC 
Created attachment 175109 [details] [review]
CVE-2010-4005

Patch to fix the issue. I'll attach a new one using git format-patch.
Comment 2 Sandy Armstrong 2010-11-23 14:17:04 UTC 
Patch looks good, feel free to push to master and gnome-2-32 branch.
Comment 3 Luis Medinas 2010-12-03 13:48:02 UTC 
Fixed in git master and gnome-2-32 branch. Most of the top distros already applied this patch but i guess it's better to roll a release.

Thanks