Next Page >>
working directory
Description
===========
The Gentoo Security Team discovered that several ebuilds, such as
sys-apps/portage, net-mail/fetchmail or app-editors/leo execute Python
code using "python -c", which includes the current working directory in
Python's module search path. For several ebuild functions, Portage did
not change the working directory from emerge's working directory.
Impact
======
Multiple vulnerabilities has been found and corrected in dstat:
Multiple untrusted search path vulnerabilities in dstat before 0.7.0
allow local users to gain privileges via a Trojan horse Python module
in (1) the current working directory or (2) a certain subdirectory
of the current working directory (CVE-2009-3894, CVE-2009-4081).
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
optionally imprisoning the current process (and future descendants)
inside it.
II. Problem Description
The jail(8) utility does not change the current working directory while
imprisoning. The current working directory can be accessed by its
descendants.
III. Impact
Description
===========
Jan Oravec reported that the "/usr/bin/tomboy" script sets the
"LD_LIBRARY_PATH" environment variable incorrectly, which might result
in the current working directory (.) to be included when searching for
dynamically linked libraries of the Mono Runtime application.
Impact
======
Description
===========
The "/usr/bin/blam" script sets the "LD_LIBRARY_PATH" environment
variable incorrectly, which might result in the current working
directory (.) being included when searching for dynamically linked
libraries of the Mono Runtime application.
Impact
======
Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).
OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).
Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).
OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).
Problem Description:
A vulnerability has been found and corrected in sudo:
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does
not properly handle when a file in the current working directory has
the same name as a pseudo-command in the sudoers file and the PATH
contains an entry for ., which allows local users to execute arbitrary
commands via a Trojan horse executable, as demonstrated using sudoedit,
a different vulnerability than CVE-2010-0426 (CVE-2010-1163).
3. Problem Description
a. VMware Workstation and Player installer security issue
The Workstation 7.x and Player 3.x installers will load an index.htm
file located in the current working directory on which Workstation
7.x or Player 3.x is being installed. This may allow an attacker to
display a malicious file if they manage to get their file onto the
system prior to installation.
The issue can only be exploited at the time that Workstation 7.x or
Description
===========
Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the
current working directory, executing commands specified there.
Impact
======
A local attacker could prepare a specially crafted .valgrindrc file and
A certain application-launch script in Mozilla Firefox before 3.5.14
and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before
3.1.5, and SeaMonkey before 2.0.9 on Linux places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory (CVE-2010-3182).
The LookupGetterOrSetter function in Mozilla Firefox before
3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x
before 3.1.5, and SeaMonkey before 2.0.9 does not properly support
window.__lookupGetter__ function calls that lack arguments, which
A vulnerability was discovered and corrected in gnucash:
gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory (CVE-2010-3999).
The affected /usr/bin/gnc-test-env file has been removed to mitigate
the CVE-2010-3999 vulnerability as gnc-test-env is only used for
tests and while building gnucash.
A vulnerability has been found in Qt Creator 2.0.0 and previous
versions. The vulnerability occurs because of an insecure manipulation
of a Unix environment variable by the qtcreator shell script. It
manifests by causing Qt or Qt Creator to attempt to load certain
library names from the current working directory (CVE-2010-3374).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
This vulnerability is exploitable through other products that F-Secure
products integrate with, most notably web browsers. One such example is a
combination of Mozilla Firefox and F-Secure Internet Security 2011. When
launched by double-clicking an .HTML file via Windows Explorer (or most
any other popular file manager), Firefox is started with the current
working directory (CWD) set to the folder where this file resides. If F-
Secure Internet Security is installed, Firefox displays its toolbar and
allows the user to view and edit the "Browsing protection" settings. These
get launched by Firefox and inherit its CWD, but they also integrate a
vulnerable 3rd party library QtCore4.dll, which blindly tries to load
wintab32.dll whether this library is present on the system or not. In the
service (system crash) in certain network device configurations.
CVE-2011-2905
Christian Ohm discovered that the 'perf' analysis tool searches for its
config files in the current working directory. This could lead to denial of
service or potential privilege escalation if a user with elevated privileges
is tricked into running 'perf' in a directory under the control of the
attacker.
CVE-2011-2909
Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).
OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).
>= 2.24.3
Description
===========
James Vega reported that gedit uses the current working directory when
searching for python modules, a vulnerability related to CVE-2008-5983.
Impact
======
Description
===========
Robert Buchholz of the Gentoo Security Team reported that
python-updater includes the current working directory and
subdirectories in the Python module search path (sys.path) before
calling "import".
Impact
======
service (system crash) in certain network device configurations.
CVE-2011-2905
Christian Ohm discovered that the 'perf' analysis tool searches for its
config files in the current working directory. This could lead to denial of
service or potential privilege escalation if a user with elevated privileges
is tricked into running 'perf' in a directory under the control of the
attacker.
CVE-2011-2909
following steps to determine the version of UCP installed on a
system:
1. Log in to the system where UCP is installed
2. Open a Windows command prompt
3. Change the current working directory to the default directory of
the CGI scripts that was specified during installation of UCP.
The default installation directory is
"C:\Inetpub\Wwwroot\securecgi-bin". Within this directory execute
the command "CSuserCGI ver".
Impact
======
A local attacker could place a specially crafted Python module in the
current working directory or the /var/tmp directory, and entice a user
to run the PDFjam scripts, leading to the execution of arbitrary code
with the privileges of the user running the application. A local
attacker could also leverage symlink attacks to overwrite arbitrary
files.
Description
===========
Robert Buchholz of the Gentoo Security Team reported that dstat
includes the current working directory and subdirectories in the Python
module search path (sys.path) before calling "import".
Impact
======
A certain application-launch script in Mozilla Firefox before 3.5.14
and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before
3.1.5, and SeaMonkey before 2.0.9 on Linux places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory (CVE-2010-3182).
The LookupGetterOrSetter function in Mozilla Firefox before
3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x
before 3.1.5, and SeaMonkey before 2.0.9 does not properly support
window.__lookupGetter__ function calls that lack arguments, which
This updates provides a security update to the OpenOffice.org described
as follow:
OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).
A vulnerability has been found and corrected in tomboy:
The (1) tomboy and (2) tomboy-panel scripts in GNOME Tomboy 1.5.2 and
earlier place a zero-length directory name in the LD_LIBRARY_PATH,
which allows local users to gain privileges via a Trojan horse shared
library in the current working directory. NOTE: vector 1 exists
because of an incorrect fix for CVE-2005-4790.2 (CVE-2010-4005).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
A vulnerability has been found and corrected in nss_db:
The Free Software Foundation (FSF) Berkeley DB NSS module (aka
libnss-db) 2.2.3pre1 reads the DB_CONFIG file in the current working
directory, which allows local users to obtain sensitive information
via a symlink attack involving a setgid or setuid application that
uses this module (CVE-2010-0826).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).
OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).
Problem Description:
A vulnerability has been found and corrected in sudo:
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does
not properly handle when a file in the current working directory has
the same name as a pseudo-command in the sudoers file and the PATH
contains an entry for ., which allows local users to execute arbitrary
commands via a Trojan horse executable, as demonstrated using sudoedit,
a different vulnerability than CVE-2010-0426 (CVE-2010-1163).
A vulnerability was discovered and corrected in mono:
Untrusted search path vulnerability in metadata/loader.c in Mono 2.8
and earlier allows local users to gain privileges via a Trojan horse
shared library in the current working directory (CVE-2010-4159).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
Multiple untrusted search path vulnerabilities in elf/dl-object.c in
certain modified versions of the GNU C Library (aka glibc or libc6),
including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat
Enterprise Linux, allow local users to gain privileges via a crafted
dynamic shared object (DSO) in a subdirectory of the current working
directory during execution of a (1) setuid or (2) setgid program that
has in (a) RPATH or (b) RUNPATH. NOTE: this issue exists because
of an incorrect fix for CVE-2010-3847 (CVE-2011-0536).
The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC
(EGLIBC) allow context-dependent attackers to execute arbitrary code
Next Page>>
|
